What is HSTS?

HTTP Strict Transport Security (HSTS) is a response header that instructs browsers to only connect to a domain over HTTPS. Once a browser receives an HSTS header, it automatically upgrades all HTTP requests to HTTPS for the duration specified by max-age, even if the user types http:// or follows an HTTP link.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age=31536000 - enforce for one year
  • includeSubDomains - apply to all subdomains
  • preload - eligible for browser preload list inclusion

HSTS preloading

HSTS preloading adds your domain to a list built into browsers (Chrome, Firefox, Safari, Edge), enforcing HTTPS from the very first visit. Submit at hstspreload.org after confirming all subdomains support HTTPS. Removal takes months, so preload only when committed.

SurfaceLoop checks HSTS headers across all your domains and flags missing headers, short max-age values, and domains eligible for preloading.

Map your attack surface - first scan free