HSTS Check: a beginner's guide
Check HSTS policy and preload status
HSTS: telling browsers to never accept the unencrypted version of your site
HSTS stands for HTTP Strict Transport Security. It is a small HTTP response header — `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` — that tells the browser, "from now on, never connect to this domain over plain HTTP. Always force HTTPS, no exceptions, even if the user typed `http://` or clicked an old `http://` link." The browser remembers the instruction for the duration specified by the `max-age` directive (typically one or two years), and if a request to the HTTP version of the site ever comes up during that time, the browser silently rewrites it to HTTPS before it goes out on the wire.
You should care because **without HSTS, your visitors are still vulnerable to a class of attack called the first-visit hijack or *SSL stripping***. If a user types `bank.example.com` into their browser without specifying `https://`, the browser starts by sending an HTTP request — and an attacker on the same network (an open Wi-Fi hotspot, a compromised router, a state-level adversary on a national ISP) can intercept that initial plaintext request and never let it upgrade to HTTPS. The user thinks they're on a normal site; they are actually being silently man-in-the-middled. HSTS closes this window by making the browser remember, after the very first HTTPS visit, to never speak HTTP to that domain again.
The five things every HSTS check looks at:
Is the HSTS header present? The bare minimum.
Is `max-age` long enough? Modern best practice is at least one year (31536000 seconds), and two years for sites that want to be on the preload list.
Is `includeSubDomains` set? Without it, only the apex domain is protected — every subdomain is still hijackable.
Is `preload` set, and is the domain on the [HSTS preload list](https://hstspreload.org/)? Preloading bakes the HSTS rule into the browser itself, so even the very first visit is protected.
Are there any HTTP-only subdomains that would break under `includeSubDomains`? This is the main reason teams hesitate — turning on `includeSubDomains` and discovering that an internal subdomain wasn't HTTPS-ready.
Three questions an HSTS check answers:
Are my visitors protected against SSL-stripping attacks during their first visit?
Is my entire domain — including all subdomains — covered, or just the root?
Should I be on the HSTS preload list, and what would it take to qualify?
The cost of skipping HSTS is the small but persistent risk of session hijacking on insecure networks. The fix is one HTTP header. For sites that handle payments, logins, or any sensitive data, HSTS is no longer optional; it is the baseline. The protocol is defined in RFC 6797.
The HSTS Check endpoint, in plain language
In one sentence: Check HSTS (HTTP Strict Transport Security) policy and preload status
Validates HSTS (HTTP Strict Transport Security) (HTTP (HyperText Transfer Protocol) Strict Transport Security, the official internet standard) configuration end-to-end against hstspreload.org submission requirements. Inspects the HSTS header itself, the redirect-response HSTS header on port 80, the HTTP→HTTPS (secure HyperText Transfer Protocol) redirect, and calls the canonical hstspreload.org `/API/v2/preloadable` endpoint to surface the exact errors a preload submission would hit.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Runs four parallel checks: (1) parses the apex HTTPS (secure HyperText Transfer Protocol) Strict-Transport-Security header (max-age, includeSubDomains, preload); (2) calls hstspreload.org /API/v2/status for current listing; (3) calls /API/v2/preloadable for the canonical pre-submission errors/warnings; (4) probes port 80 to verify HTTP (HyperText Transfer Protocol)→HTTPS redirect AND that the redirect response carries an HSTS (HTTP Strict Transport Security) header (preload requires it). Flags edge cases: `max-age=0` while `preload` is set (active removal), `max-age > 2y` (above Chromium cap).
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the HSTS Check tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
HSTS (HTTP Strict Transport Security) (the official internet standard) protects against SSL (Secure Sockets Layer) stripping and protocol downgrade attacks by ensuring browsers only connect via HTTPS (secure HyperText Transfer Protocol). Without HSTS, an attacker on the same network can intercept the initial HTTP (HyperText Transfer Protocol) request and redirect to a malicious site. Preload list inclusion provides protection from the very first visit — critical for high-security applications. HSTS is required by PCI DSS 4.0.1 and recommended by OWASP and NIST SP 800-52r2 (Guidelines for TLS (Transport Layer Security) Implementations).
Picture this in real life. Imagine a devops engineer. Here's the situation they're walking into: After migrating to HTTPS (secure HyperText Transfer Protocol), verify HSTS (HTTP Strict Transport Security) is properly configured to prevent downgrade attacks. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the HSTS Check tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the HSTS Check tool is built for you:
Is my website encrypted properly, or are visitors going to see a scary browser warning?
Am I missing any of the security headers that modern browsers expect?
Could a known weakness on my site quietly be costing me trust, traffic, or compliance?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders and freelancers running their own sites, agencies handing off projects to clients, security and compliance teams chasing audit findings, and developers hardening login pages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and visitors get browser warnings, search engines lose trust in your site, and a single missed setting can become a public security incident. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/domain/hsts`.
When would I actually use this?
If you're still on the fence about whether the HSTS Check tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a devops engineer, a security engineer, and a security auditor — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: HTTPS Migration Verification
Imagine you're a devops engineer. After migrating to HTTPS (secure HyperText Transfer Protocol), verify HSTS (HTTP Strict Transport Security) is properly configured to prevent downgrade attacks.
Why it matters: Ensure HTTPS (secure HyperText Transfer Protocol) is enforced and users can't be redirected to HTTP (HyperText Transfer Protocol).
Story 2: Preload List Submission Prep
Imagine you're a security engineer. Before submitting to HSTS (HTTP Strict Transport Security) preload list, verify all requirements are met (max-age, includeSubDomains, preload).
Why it matters: Avoid preload submission rejection by validating configuration first.
Story 3: Security Assessment
Imagine you're a security auditor. Evaluate HSTS (HTTP Strict Transport Security) configuration as part of web application security assessment.
Why it matters: Document HTTPS (secure HyperText Transfer Protocol) enforcement controls for security audits.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the HSTS Check tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
After every site redesign or platform migration.
Before a penetration test, security review, or vendor questionnaire.
When your SSL certificate is about to expire and you want to confirm the renewal worked.
On a recurring monthly schedule, so you catch new issues before attackers do.
If you can see yourself in even one of those bullets, the HSTS Check tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the HSTS Check tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the HSTS Check tool to check https://google.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/hsts?domain=https%3A%2F%2Fgoogle.com"What you need to provide
You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | Domain or full URL (web address) — accepts `example.com` or `HTTPS://example.com/path`. The HSTS (HTTP Strict Transport Security) / preload probe always tests HTTPS→HTTPS-direct and HTTP→HTTPS redirect, regardless of the protocol picked. | https://google.com |
probe_subdomains | string | Optional | Set "true" to probe 12 common subdomains (www/mail/admin/staging/etc.) for HTTPS (secure HyperText Transfer Protocol) coverage — the #1 cause of preload-submission rejections. Adds up to 12 subrequests. | true |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain (bare hostname). |
url | string | Full URL (web address) that was fetched, echoing the protocol used in the request. |
hasHsts | boolean | Whether HSTS (HTTP Strict Transport Security) header is present |
maxAge | number | null | Max-age value in seconds, or null if no HSTS (HTTP Strict Transport Security) header |
maxAgeFormatted | string | null | Human-readable max-age duration (e.g., "1 year"), or null if no HSTS (HTTP Strict Transport Security) header |
includesSubdomains | boolean | Whether includeSubDomains is set |
preload | boolean | Whether preload directive is set |
preloaded | object | { listed, status, source: "hstspreload.org", note }. Chromium is the source of truth; Firefox/Safari/Edge mirror it on their own schedules, so per-browser status is not claimed independently. |
rawHeader | string | null | Raw Strict-Transport-Security header value, or null if not present |
redirectHstsHeader | string | null | HSTS (HTTP Strict Transport Security) header observed on the port-80 → HTTPS (secure HyperText Transfer Protocol) redirect response (required for preload eligibility). |
httpToHttpsRedirect | boolean | Whether port 80 returned an HTTPS (secure HyperText Transfer Protocol) redirect (required for preload). |
preloadable | boolean | Whether the HSTS (HTTP Strict Transport Security) configuration meets the static preload-eligibility rules |
status | string | Preload submission status from hstspreload.org |
issues | array | Aggregated issues (local checks + preloadable findings) |
preloadableIssues | array | Structured errors/warnings from hstspreload.org/API/v2/preloadable: [{ code, summary, message }]. These are the exact issues a preload submission would surface. |
subdomain_probe | object | null | Phase 2: HTTPS-coverage probe across 12 common subdomains. Only populated when ?probe_subdomains=true. Includes per-subdomain status_code/reachable/https_redirect/hsts_header plus a summary + blockers list naming subdomains that would block preload submission. |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
HTTP (HyperText Transfer Protocol) — The language web browsers and websites use to talk to each other.
HTTPS (secure HyperText Transfer Protocol) — HTTP with encryption — the little padlock in your browser. It means nobody between you and the website can read what you're sending.
SSL (Secure Sockets Layer) — The original encryption used by HTTPS. The name stuck even though every modern site actually uses TLS, the newer replacement.
TLS (Transport Layer Security) — The encryption that puts the 'S' in HTTPS. It scrambles data so nobody between you and a website can read it.
HSTS (HTTP Strict Transport Security) — A header that tells browsers "always use HTTPS for this site, never plain HTTP, even if the user types it." Prevents downgrade attacks.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.