HSTS Check
free/v1/domain/hstsValidates HSTS (HTTP Strict Transport Security, RFC 6797) configuration including max-age duration, includeSubDomains directive, preload directive, and preload list inclusion status. Checks against hstspreload.org requirements — the shared preload list used by Chrome, Firefox, Safari, and Edge.
What It Does
Fetches the Strict-Transport-Security header from the domain, parses all directives (max-age, includeSubDomains, preload), validates against preload requirements (max-age ≥ 31536000, includeSubDomains required, preload directive required), and queries the hstspreload.org API to check if the domain is already on the browser preload list. Returns human-readable max-age formatting and specific remediation guidance for any issues found.
Why It's Useful
HSTS (RFC 6797) protects against SSL stripping and protocol downgrade attacks by ensuring browsers only connect via HTTPS. Without HSTS, an attacker on the same network can intercept the initial HTTP request and redirect to a malicious site. Preload list inclusion provides protection from the very first visit — critical for high-security applications. HSTS is required by PCI DSS 4.0.1 and recommended by OWASP and NIST SP 800-52r2 (Guidelines for TLS Implementations).
Use Cases
HTTPS Migration Verification
After migrating to HTTPS, verify HSTS is properly configured to prevent downgrade attacks.
Ensure HTTPS is enforced and users can't be redirected to HTTP.
Preload List Submission Prep
Before submitting to HSTS preload list, verify all requirements are met (max-age, includeSubDomains, preload).
Avoid preload submission rejection by validating configuration first.
Security Assessment
Evaluate HSTS configuration as part of web application security assessment.
Document HTTPS enforcement controls for security audits.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check HSTS configuration forExample: google.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
hasHsts | boolean | Whether HSTS header is present |
maxAge | number | null | Max-age value in seconds, or null if no HSTS header |
maxAgeFormatted | string | null | Human-readable max-age duration (e.g., "1 year"), or null if no HSTS header |
includesSubdomains | boolean | Whether includeSubDomains is set |
preload | boolean | Whether preload directive is set |
preloaded | object | Preload list status for Chrome, Firefox, Safari, and Edge |
rawHeader | string | null | Raw Strict-Transport-Security header value, or null if not present |
preloadable | boolean | Whether the HSTS configuration meets preload requirements |
status | string | Preload submission status from hstspreload.org |
issues | array | Issues preventing preload eligibility |
Code Examples
curl "https://api.edgedns.dev/v1/domain/hsts" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=google.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/hsts?domain=google.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/hsts',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'google.com'
}
)
data = response.json()
print(data)Read the full HSTS Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.