HSTS preload eligibility
Build a Strict-Transport-Security header, or paste one you already serve,
and check it against the hstspreload.org
submission rules — max-age ≥ 1 year, includeSubDomains, and
preload — before you submit.
Policy
Paste a Strict-Transport-Security header
Paste the header value or the wholeStrict-Transport-Security: … line.
Parsed and checked entirely in your browser.
Configure a policy to check preload eligibility.
Header requirements checked here
Manual checks need your live site
About HSTS preloading
HSTS tells browsers to only ever reach your site over HTTPS. But the very first visit can still go out over HTTP before the header is seen. The preload list closes that gap by baking your domain into the browser itself — so even the first request is HTTPS. Getting on the list requires a correctly shaped header plus a few live-site guarantees.
The header rules
max-age of at least one year, includeSubDomains, and the
preload token — all on the base domain over HTTPS. This tool checks
exactly these.
The live-site rules
A valid certificate, an HTTP→HTTPS redirect, and every subdomain (including
www) served over HTTPS. These need network access — hstspreload.org
verifies them at submission.
Preload responsibly
Inclusion is sticky and slow to reverse. Only preload a base domain you're committed to keeping HTTPS-only — across every current and future subdomain.