HSTS Preload Guide: Enforce HTTPS for Every Visitor

HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS when connecting to your domain. HSTS preloading takes this a step further by hardcoding your domain into browsers' HTTPS-only lists.

How HSTS Works

When a browser first visits your site over HTTPS, your server sends the HSTS header with a max-age directive. The browser remembers this and automatically upgrades all future HTTP requests to HTTPS for the duration of max-age. This prevents SSL stripping attacks.

Why Preload

Without preloading, the very first visit to your domain could happen over HTTP before the browser sees your HSTS header. An attacker could intercept this first connection (a "trust on first use" vulnerability). HSTS preloading eliminates this window by shipping your domain's HTTPS requirement directly in the browser.

Requirements for Preloading

Google's HSTS preload list (used by Chrome, Firefox, Edge, and others) requires: - A valid certificate - Redirect all HTTP traffic to HTTPS - Serve all subdomains over HTTPS - HSTS header with max-age of at least 1 year (31536000 seconds) - Include the `includeSubDomains` directive - Include the `preload` directive

Your header should look like: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

How to Submit

Visit hstspreload.org, enter your domain, and verify you meet all requirements. If everything checks out, submit your domain for inclusion. It typically takes 1-3 months for your domain to appear in browser preload lists.

Warning: Preloading Is Permanent

Removing a domain from the preload list takes months and requires going through a formal removal process. If you cannot guarantee HTTPS for all subdomains indefinitely, do not preload. Use HSTS without the preload directive instead.

Use our Security Headers Checker to verify your current HSTS configuration.