HSTS Checker
Test any domain's HTTP Strict Transport Security configuration. Check max-age, includeSubDomains, preload readiness, and HTTPS redirect.
What is HSTS?
HSTS (HTTP Strict Transport Security) is a response header that tells browsers to only connect to your site over HTTPS. Once a browser sees the HSTS header, it will automatically upgrade all future HTTP requests to HTTPS for the specified duration (max-age), even if the user types http:// or clicks an HTTP link.
Why check your HSTS configuration?
Without HSTS, your site is vulnerable to SSL stripping attacks where an attacker downgrades the connection from HTTPS to HTTP. Even if you redirect HTTP to HTTPS, that first request is unencrypted and can be intercepted. HSTS eliminates this window. The preload directive goes further by hardcoding HTTPS-only into the browser itself.
How to configure HSTS properly
Add the Strict-Transport-Security header with a max-age of at least 1 year (31536000 seconds). Include the includeSubDomains directive to protect all subdomains. For maximum protection, add the preload directive and submit your domain to hstspreload.org. Start with a short max-age and increase it gradually to avoid locking yourself out.
FAQ
Frequently asked questions
Is this HSTS checker free?+
Yes, completely free. No signup or credit card required. Test any public domain's HSTS configuration instantly.
What max-age should I use?+
The recommended minimum is 1 year (31536000 seconds). For HSTS preload eligibility, you need at least 1 year. Some organizations use 2 years (63072000). Start with a shorter value like 1 hour (3600) when first deploying HSTS, then increase it once you confirm everything works over HTTPS.
How is this different from an SSL checker?+
An SSL checker verifies your certificate validity and TLS protocol. This HSTS checker specifically tests the Strict-Transport-Security header that forces browsers to use HTTPS. You need both: a valid SSL certificate and HSTS to fully protect your users. CQwerty Shield's full scan covers both.
HSTS Checker is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →