What is the HSTS preload list?

It is a list of domains hard-coded into browsers that are always loaded over HTTPS, even on the very first visit. Being on the list closes the gap before the first HSTS header is received, preventing an initial plaintext request that could be hijacked.

What are the preload requirements?

Serve a valid certificate; redirect HTTP to HTTPS on the same host; serve all subdomains over HTTPS; and send a Strict-Transport-Security header on the base domain with max-age of at least 31536000 seconds (one year), the includeSubDomains directive, and the preload directive.

Why must max-age be at least one year?

hstspreload.org requires max-age of 31536000 seconds or more so the policy persists long enough to be meaningful even if a browser falls back to the dynamically-cached value. Shorter durations are rejected for preload, though they still work for ordinary HSTS.

How do I remove a domain from the list?

Change the header to remove the preload directive (and optionally lower max-age), then submit a removal request at hstspreload.org. Removal propagates slowly because it must ship in new browser releases, so preload is effectively a long-term commitment.

Does this validator send my header anywhere?

No. The header is parsed and checked entirely in your browser against the published rules. Nothing is transmitted.

HSTS Preload Requirements Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

HSTS preload requirements

To appear on the browser HSTS preload list, a site’s Strict-Transport-Security header must meet specific rules from hstspreload.org. This reference explains each requirement and includes a validator that checks a header value for max-age, includeSubDomains and the preload directive.

How it works

HSTS is sent as a single response header over HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

For preload, hstspreload.org requires max-age of at least one year (31536000), the includeSubDomains directive, and the preload directive — in addition to a valid certificate and HTTP-to-HTTPS redirects. The validator parses the directives, confirms each rule, and reports what is missing.

Tips and notes

Preload is a long-term commitment — removal ships slowly in browser releases.
includeSubDomains forces every subdomain to HTTPS; verify they all work first.
The base-domain HTTP response must redirect to its own HTTPS before anything else.
Without preload, the same header still enables ordinary dynamic HSTS.