Security Check n°5 / 120

HSTS Preload List

The HSTS preload list is a list maintained by browsers (Chrome, Firefox, Safari) of domains that must ALWAYS be visited over HTTPS, even on …

Analyse my site for free
← All checks
What is it?

Understanding "HSTS Preload List"

The HSTS preload list is a list embedded directly in the source code of Chrome, Firefox, Safari and Edge. Domains on this list are visited exclusively over HTTPS from the very first request — without even needing to receive the HSTS header from the server. Unlike standard HSTS, preload protects users from their very first connection, eliminating the residual risk of the first HTTP visit.

The HSTS preload is managed by Google via hstspreload.org and browsers include the list in their updates. Once registered, your domain stays on preload until an explicit removal request — which can take several months. Ensure all your subdomains support HTTPS before submitting.

⏳ Standard HSTS — vulnerable on first visit
First visit
→ http:// sent (risk) →
⚠️ Vulnerable window
→ receives HSTS
2nd visit ✓
✅ HSTS Preload — protected from day one
Chrome installed
contains →
📋 Preload list
mysite.com ✓
→ https:// direct →
🔒 Server
✓ Even the very first user is protected — no exceptions
How we check it

How TheSiteFuse checks "HSTS Preload List"

TheSiteFuse verifies that the HSTS header contains both the preload and includeSubDomains directives, and that the max-age value is at least 31,536,000 seconds (1 year). These three conditions are required by hstspreload.org to accept a submission. The check does not verify whether the domain is actually in the browsers' preload list.

Risks if it fails

Why "HSTS Preload List" matters

Without HSTS preload, a residual risk remains even with standard HSTS enabled:

  • First visit vulnerability — standard HSTS only applies from the second visit. During the very first connection, if someone forces an HTTP connection, the visitor is vulnerable.
  • Reset after cache clearing — if a user clears their browser history, they lose the HSTS memorandum and are vulnerable again on the next HTTP visit.
  • New devices — a user connecting from a new device or freshly installed browser is not protected by HSTS before their first HTTPS visit.
How to fix

Fix "HSTS Preload List" step by step

Step 1 — Check prerequisites

  • All active subdomains support HTTPS (including www and others)
  • Your HSTS header contains max-age=31536000, includeSubDomains AND preload
  • No subdomain generates a certificate error

Step 2 — Update the HSTS header

Apache:

Header always set Strict-Transport-Security   "max-age=31536000; includeSubDomains; preload"

Nginx:

add_header Strict-Transport-Security   "max-age=31536000; includeSubDomains; preload" always;

Step 3 — Submit on hstspreload.org

Go to hstspreload.org and enter your domain. Inclusion in the list distributed with browsers can take several weeks to months.

Step 4 — Check status

curl "https://hstspreload.org/api/v2/status?domain=yoursite.com"
Learn more

Reference resource

To deepen your understanding of the technical concepts behind this check, see the dedicated Wikipedia article.

Wikipedia — HSTS Preload List

Does your site pass this check?

Run the free full audit (120 checks) and instantly discover what needs fixing.

Previous HSTS header Next HTTP security headers

Other Security checks

HTTPS active
Valid SSL certificate
HTTP → HTTPS redirect
HSTS header
Continue with Google
or