HTTP Strict Transport Security — a response header that tells browsers to always use HTTPS for your domain for a configurable duration. Protects against TLS downgrade and SSL-stripping attacks.

Should I use includeSubDomains?

Yes if every subdomain serves HTTPS correctly. The directive applies HSTS to the whole domain tree, but a single broken subdomain locks users out.

What is the HSTS Preload List?

A list of domains Chrome, Firefox and Safari ship with hard-coded for HTTPS-only access. Submit at hstspreload.org after HSTS has run cleanly with includeSubDomains and a 1-year max-age.

You can lower max-age and wait for it to expire in browsers, but preloaded domains require submission to the removal list and take months to propagate. Test thoroughly before enabling preload.

Does HSTS affect SEO?

Indirectly. HSTS is part of a strong security posture that Google's page-experience signal favours, and it cleans up duplicate HTTP / HTTPS URLs by enforcing one canonical scheme.

HSTS Test

The HSTS Test verifies that any URL serves a Strict-Transport-Security response header, which tells browsers to use HTTPS exclusively for the domain for a configurable period. HSTS protects against TLS downgrade attacks, accidental HTTP redirects, and SSL-stripping man-in-the-middle attacks. Once HSTS is set, even typing http:// in the address bar transparently uses HTTPS. The header is one line, free, and a baseline modern security control.

What This Tool Checks

Strict-Transport-Security response header present
max-age value (recommended: 31536000 = 1 year)
includeSubDomains directive
preload directive (for HSTS Preload List submission)
HTTPS enforcement on first visit (preload status)

Why It Matters for SEO

Without HSTS, the very first HTTP request to your domain (typed URL, old bookmark, link from a non-HTTPS page) can be intercepted and downgraded by an attacker on the network. HSTS pins browsers to HTTPS for a long max-age, eliminating this window. Adding the domain to the HSTS Preload List closes the first-visit window entirely. The header is a one-line config change with no downside once HTTPS is correctly configured.

How to Fix It

Add Strict-Transport-Security: max-age=31536000; includeSubDomains to every HTTPS response. Verify HTTPS works on every subdomain before enabling includeSubDomains. After running for a few weeks with no issues, add ; preload and submit the domain to hstspreload.org for browser-bundled enforcement.

How It Works

We fetch the URL over HTTPS and inspect the Strict-Transport-Security response header. We also check the public HSTS Preload List to see whether the domain is preloaded into Chrome, Firefox and Safari for HTTPS enforcement on the first visit.

Common Mistakes to Avoid

No HSTS header set
Short max-age (hours instead of months)
includeSubDomains set without subdomain HTTPS coverage (breaks subdomains)
preload set without actually submitting to the preload list
Adding HSTS before HTTPS is fully working (locks users into a broken state)

Quick Checklist

HSTS header present on every HTTPS response
max-age at least 31536000 (1 year)
includeSubDomains set if all subdomains use HTTPS
Domain submitted to HSTS Preload List
HTTPS verified working before HSTS deployed

HSTS Test

What This Tool Checks

Why It Matters for SEO

How to Fix It

How It Works

Common Mistakes to Avoid

Quick Checklist

Frequently Asked Questions

Related Free Tools

About PositionMySite

Services

Let's Connect