Free online Quick Check — no signup required.

What This Tool Checks

  • Policy strength validation
  • Preload readiness checks
  • Transport hardening actions

Why It Matters

HSTS is one of the clearest transport-hardening controls, but it only helps when the policy is strong, consistent, and aligned with preload or subdomain expectations.

Best For

Best for teams validating HTTPS enforcement after certificate changes, CDN updates, subdomain expansion, or a broader transport-security hardening pass.

What To Do Next

Use the result to confirm whether you only need a policy adjustment or whether you should review redirect behavior, subdomain readiness, and preload eligibility too.

Frequently Asked Questions

How do I test HSTS on my website?

Paste your HTTPS URL into this HSTS checker and submit. Vulnify reads the live Strict-Transport-Security response header and reports max-age, includeSubDomains, preload eligibility, and whether the header is missing. Retest after each configuration change to confirm the policy is live.

How do I check HSTS settings?

Enter the production URL you want to validate. The checker evaluates whether Strict-Transport-Security is present, whether max-age meets recommended minimums, and whether includeSubDomains and preload directives are configured correctly for your rollout stage.

Is there a free HSTS testing tool?

Yes. Vulnify's HSTS checker is a free HSTS testing tool with no signup required. Quick Check returns Strict-Transport-Security results in seconds for any public HTTPS URL you are authorized to test.

What are HSTS implementation guidelines?

Start with HTTPS redirects on all HTTP traffic, then add Strict-Transport-Security with a short max-age during rollout. Increase max-age once certificates and redirects are stable. Add includeSubDomains only when every subdomain serves valid HTTPS. Enable preload only after the full policy is production-ready — see our missing HSTS fix guide for a staged rollout plan.

What is an HSTS checker and what does it test?

An HSTS checker reads the Strict-Transport-Security response header and evaluates whether a site enforces HTTPS correctly. It tests max-age duration, includeSubDomains scope, preload eligibility, and whether the header is present at all.

Is this HSTS checker free?

Yes. Quick Check is free with no account required. Paste a URL and get Strict-Transport-Security results in seconds.

What is the recommended HSTS max-age value?

Production sites should set max-age to at least 31536000 seconds (one year). This signals to browsers that HTTPS must be enforced for the full period. Start with a shorter value during rollout, then increase it once redirects and certificates are stable.

What does includeSubDomains mean for HSTS?

The includeSubDomains directive extends the HSTS policy to all subdomains of the registered domain. This prevents downgrade attacks on subdomains but requires every subdomain to serve valid HTTPS before the directive is added.

Should I enable HSTS preloading?

HSTS preloading hard-codes your domain into browser preload lists so HTTPS is enforced even on the first visit, before any header is received. It requires max-age of at least 31536000, includeSubDomains, and the preload directive. Only enable preloading once all subdomains serve HTTPS reliably, as removal from the list is slow.

How do I fix missing HSTS?

Enable HTTPS redirects first, then add a Strict-Transport-Security header with a safe max-age. Validate all subdomains serve HTTPS before adding includeSubDomains. Consider preload only after the policy is fully stable. See the missing HSTS fix guide for a step-by-step rollout plan.