If this tool helped you, you can buy us a coffee ☕
Check your website's HSTS configuration status, analyze security header parameters, and enhance HTTPS strict transport security.
MAC Address Vendor Lookup
Enter a MAC address to instantly identify the device manufacturer and detailed physical address. Perfect for network management and security auditing.
Random MAC Address Generator
Bulk generate random MAC addresses online with uppercase or lowercase formatting. Ideal for network testing and development.
IPv4 / IPv6 Address Converter
A two-way IPv4 and IPv6 address converter for network configuration, debugging, and format validation.
Download Link Converter
Convert HTTP/HTTPS file URLs into dedicated download links for Thunder, FlashGet, and QQ Xuanfeng to use with various download clients.
MAC Address Vendor Lookup
Enter a MAC address to instantly identify the device manufacturer and detailed physical address. Perfect for network management and security auditing.
Random MAC Address Generator
Bulk generate random MAC addresses online with uppercase or lowercase formatting. Ideal for network testing and development.
IPv4 / IPv6 Address Converter
A two-way IPv4 and IPv6 address converter for network configuration, debugging, and format validation.
Download Link Converter
Convert HTTP/HTTPS file URLs into dedicated download links for Thunder, FlashGet, and QQ Xuanfeng to use with various download clients.
Random User Agent Generator
Generate random browser User-Agent strings for developers, QA testers, and web scrapers to simulate various devices and platforms.
When a user visits an HTTPS website without HSTS enabled for the first time, they may still be vulnerable to SSL stripping attacks. This tool helps administrators verify if their HSTS configuration is working correctly by detecting the Strict-Transport-Security field in the HTTP response headers and parsing parameters like max-age, includeSubDomains, and preload. HSTS (HTTP Strict Transport Security) is a web security policy that forces browsers to access a website only via HTTPS connections for a specified period, fundamentally preventing man-in-the-middle (MitM) hijacking and protocol downgrade attacks.
How does the HSTS checker ensure accuracy?
The tool simulates a browser request to fetch the real HTTP response headers and directly parses the Strict-Transport-Security field values. However, please note that complex CDNs or multi-level redirects may affect the accuracy of the results.
What is the recommended max-age setting?
For production environments, a minimum of 31536000 seconds (1 year) is recommended. A shorter duration can be set during the testing phase, but ensure the parameter syntax is correct.
Before testing, please ensure the domain resolves correctly and supports HTTPS access. The results only reflect the current request-response status; actual deployment should be verified against server configurations. For preload list submissions, please visit hstspreload.org. It is recommended to use a testing environment for sensitive domains.
It is recommended to initially set max-age to a short duration (e.g., 300 seconds) for testing, and extend it to over a year once confirmed working. Before enabling includeSubDomains, ensure all subdomains support HTTPS, otherwise, it will cause access interruptions. A typical compliant configuration is: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
