Strict-Transport-Security

HSTS Checker — HTTP Strict Transport Security

Name: VAPT Experts Security Headers Scanner
Author: VAPT Experts

Verify your HTTP Strict Transport Security (HSTS) configuration. This tool checks the max-age value, includeSubDomains coverage, and preload eligibility — and tells you exactly how to fix any weakness found.

✓Free to use✓No registration required✓No scan history stored✓Browser-first analysis✓PDF report export✓Copy-paste fixes

What is Strict-Transport-Security?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that tells browsers to only access a website via HTTPS, never HTTP. Once a browser receives an HSTS header, it will automatically upgrade all future requests to that domain to HTTPS — even if the user types "http://" or clicks an HTTP link. This prevents SSL stripping attacks, which silently downgrade HTTPS connections to unencrypted HTTP.

Why It Matters

SSL stripping attacks are a well-established attack technique where attackers intercept the initial HTTP request before it redirects to HTTPS. Without HSTS, even a correctly configured HTTPS site is vulnerable to this attack on the first visit. HSTS also enables submission to the HSTS preload list — a hardcoded list in browsers that ensures your domain is always accessed via HTTPS, even on the very first visit.

Common Configuration Mistakes

✗Setting max-age too low (below 180 days / 15,552,000 seconds)
✗Not including includeSubDomains — leaving subdomains unprotected
✗Not adding preload directive before submitting to the HSTS preload list
✗Setting HSTS on HTTP responses (only valid on HTTPS responses)
✗Removing HSTS without reducing max-age first and waiting for expiry
✗Using HSTS on sites that are not ready for full HTTPS — this can lock users out

Recommended Configuration

Strict-Transport-Security

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Get platform-specific configs in the Fix Generator

Frequently Asked Questions

What is the HSTS preload list?

The HSTS preload list is a list of domains hardcoded into browsers (Chrome, Firefox, Safari, Edge) that are always accessed via HTTPS — even on the very first visit. To be included, your HSTS header must have max-age of at least 31,536,000 seconds, include includeSubDomains, and include preload. Submit at hstspreload.org.

Can HSTS lock me out of my own site?

Yes, if you add HSTS and then remove HTTPS. Browsers will refuse to connect via HTTP for the duration of max-age. Before removing HTTPS or changing certificates, reduce max-age to 0 and wait for it to expire from all user caches.

Does HSTS protect against all MitM attacks?

HSTS protects against SSL stripping and protocol downgrade attacks. It does not protect against: certificate authority compromise, HTTPS-level MitM with a trusted certificate, or attacks that exploit HTTPS vulnerabilities directly.

What max-age should I use for HSTS?

For most production sites: 31,536,000 seconds (1 year). This is the minimum required for HSTS preload list submission. Start with a shorter value (86400 = 1 day) for testing, then increase once you're confident HTTPS works correctly.

Related Tools & Guides

Security Headers Checker Content Security Policy Checker Nginx Security Headers Generator Apache Security Headers Generator

Need Professional Web Application Security Testing?

This scanner checks visible headers. VAPT Experts provides professional web application penetration testing, API security testing, and compliance-ready security reports.

Request VAPT Assessment