HSTS Checker

HSTS Checker: Core Features and Principles

When a user visits an HTTPS website without HSTS enabled for the first time, they may still be vulnerable to SSL stripping attacks. This tool helps administrators verify if their HSTS configuration is working correctly by detecting the Strict-Transport-Security field in the HTTP response headers and parsing parameters like max-age, includeSubDomains, and preload. HSTS (HTTP Strict Transport Security) is a web security policy that forces browsers to access a website only via HTTPS connections for a specified period, fundamentally preventing man-in-the-middle (MitM) hijacking and protocol downgrade attacks.

Why Choose Our HSTS Checker?

• Accurately parses all HSTS header parameters, including max-age duration, sub-domain inclusion status, and preload eligibility.
• Real-time detection of redirect chains and certificate status for a comprehensive assessment of secure transport implementation.
• Use online without installation—simply enter a domain name to receive a professional-grade security configuration analysis report.

How to Use

1. Enter the domain name (e.g., example.com) or full URL to be tested in the input box.
2. Click the check button. The system will automatically send a request and analyze the response headers.
3. Review the detailed parameter table in the output to confirm the HSTS status and the values of each configuration item.

Frequently Asked Questions (FAQ)

How does the HSTS checker ensure accuracy?
The tool simulates a browser request to fetch the real HTTP response headers and directly parses the Strict-Transport-Security field values. However, please note that complex CDNs or multi-level redirects may affect the accuracy of the results.

What is the recommended max-age setting?
For production environments, a minimum of 31536000 seconds (1 year) is recommended. A shorter duration can be set during the testing phase, but ensure the parameter syntax is correct.

Important Notes

Before testing, please ensure the domain resolves correctly and supports HTTPS access. The results only reflect the current request-response status; actual deployment should be verified against server configurations. For preload list submissions, please visit hstspreload.org. It is recommended to use a testing environment for sensitive domains.

Technical Notes & Best Practices

It is recommended to initially set max-age to a short duration (e.g., 300 seconds) for testing, and extend it to over a year once confirmed working. Before enabling includeSubDomains, ensure all subdomains support HTTPS, otherwise, it will cause access interruptions. A typical compliant configuration is: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload