HSTS Check
free/v1/domain/hstsValidates HSTS (HTTP Strict Transport Security, RFC 6797) configuration end-to-end against hstspreload.org submission requirements. Inspects the HSTS header itself, the redirect-response HSTS header on port 80, the HTTP→HTTPS redirect, and calls the canonical hstspreload.org `/api/v2/preloadable` endpoint to surface the exact errors a preload submission would hit.
What It Does
Runs four parallel checks: (1) parses the apex HTTPS Strict-Transport-Security header (max-age, includeSubDomains, preload); (2) calls hstspreload.org /api/v2/status for current listing; (3) calls /api/v2/preloadable for the canonical pre-submission errors/warnings; (4) probes port 80 to verify HTTP→HTTPS redirect AND that the redirect response carries an HSTS header (preload requires it). Flags edge cases: `max-age=0` while `preload` is set (active removal), `max-age > 2y` (above Chromium cap).
Why It's Useful
HSTS (RFC 6797) protects against SSL stripping and protocol downgrade attacks by ensuring browsers only connect via HTTPS. Without HSTS, an attacker on the same network can intercept the initial HTTP request and redirect to a malicious site. Preload list inclusion provides protection from the very first visit — critical for high-security applications. HSTS is required by PCI DSS 4.0.1 and recommended by OWASP and NIST SP 800-52r2 (Guidelines for TLS Implementations).
Use Cases
HTTPS Migration Verification
After migrating to HTTPS, verify HSTS is properly configured to prevent downgrade attacks.
Ensure HTTPS is enforced and users can't be redirected to HTTP.
Preload List Submission Prep
Before submitting to HSTS preload list, verify all requirements are met (max-age, includeSubDomains, preload).
Avoid preload submission rejection by validating configuration first.
Security Assessment
Evaluate HSTS configuration as part of web application security assessment.
Document HTTPS enforcement controls for security audits.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | Domain or full URL — accepts `example.com` or `https://example.com/path`. The HSTS / preload probe always tests https→https-direct and http→https redirect, regardless of the protocol picked.Example: https://google.com |
probe_subdomains | string | Optional | Set "true" to probe 12 common subdomains (www/mail/admin/staging/etc.) for HTTPS coverage — the #1 cause of preload-submission rejections. Adds up to 12 subrequests.Example: true |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain (bare hostname). |
url | string | Full URL that was fetched, echoing the protocol used in the request. |
hasHsts | boolean | Whether HSTS header is present |
maxAge | number | null | Max-age value in seconds, or null if no HSTS header |
maxAgeFormatted | string | null | Human-readable max-age duration (e.g., "1 year"), or null if no HSTS header |
includesSubdomains | boolean | Whether includeSubDomains is set |
preload | boolean | Whether preload directive is set |
preloaded | object | { listed, status, source: "hstspreload.org", note }. Chromium is the source of truth; Firefox/Safari/Edge mirror it on their own schedules, so per-browser status is not claimed independently. |
rawHeader | string | null | Raw Strict-Transport-Security header value, or null if not present |
redirectHstsHeader | string | null | HSTS header observed on the port-80 → HTTPS redirect response (required for preload eligibility). |
httpToHttpsRedirect | boolean | Whether port 80 returned an HTTPS redirect (required for preload). |
preloadable | boolean | Whether the HSTS configuration meets the static preload-eligibility rules |
status | string | Preload submission status from hstspreload.org |
issues | array | Aggregated issues (local checks + preloadable findings) |
preloadableIssues | array | Structured errors/warnings from hstspreload.org/api/v2/preloadable: [{ code, summary, message }]. These are the exact issues a preload submission would surface. |
subdomain_probe | object | null | Phase 2: HTTPS-coverage probe across 12 common subdomains. Only populated when ?probe_subdomains=true. Includes per-subdomain status_code/reachable/https_redirect/hsts_header plus a summary + blockers list naming subdomains that would block preload submission. |
Code Examples
curl "https://api.edgedns.dev/v1/domain/hsts" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=https://google.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/hsts?domain=https%3A%2F%2Fgoogle.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/hsts',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'https://google.com'
}
)
data = response.json()
print(data)Read the full HSTS Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.