What max-age should I use for HSTS?

The minimum recommended max-age is one year, 31536000 seconds. For preload-list submission the max-age must be at least one year as well. Many sites use two years (63072000) for extra margin.

What does includeSubDomains do?

It applies the HTTPS-only policy to every subdomain, not just the exact host. It is required for preload submission, but only enable it once you are certain all subdomains can serve HTTPS, or you may lock out an HTTP-only subdomain.

What is the preload directive?

preload signals that you want the domain hard-coded into browsers' built-in HSTS preload list, so HTTPS is enforced on the very first visit. Adding the directive alone does nothing until you submit the domain at hstspreload.org.

Why is HSTS important?

Without HSTS, the first request to a site can go over plaintext HTTP and be intercepted or downgraded. HSTS tells the browser to always use HTTPS for the domain, defending against SSL-stripping man-in-the-middle attacks.

Is my header sent anywhere?

No. The header string is parsed locally in your browser. Nothing is transmitted, so you can check production or internal headers privately.

HSTS Header Checker — Gera Tools

HTTP Strict Transport Security (HSTS) is a response header that forces browsers to use HTTPS for a domain, defeating SSL-stripping attacks that downgrade users to plaintext. The header is easy to get subtly wrong — too short a max-age, a missing includeSubDomains, or a preload directive that was never actually submitted. This checker parses your header, scores it against current best practice, and tells you exactly what to fix.

How it works

A typical HSTS header looks like:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

The tool parses the three components and applies the recommended rules:

max-age — must be present and at least 31536000 (one year). Shorter values are flagged; missing values mean no policy.
includeSubDomains — recommended, and required for the preload list. Flagged if absent.
preload — the directive is a request to be added to browsers’ built-in list, but it only takes effect after submission at hstspreload.org. Preload requires both includeSubDomains and a one-year-plus max-age.

Each rule contributes to a simple compliance score, and the tool lists the specific changes needed to reach full preload eligibility.

Tips and notes

Roll out HSTS gradually: start with a short max-age, confirm nothing breaks, then raise it to a year or more before enabling preload.
Do not add preload or includeSubDomains until every subdomain serves HTTPS — preload is hard to reverse and browsers cache it for the full max-age.
Serve the header only over HTTPS; browsers ignore HSTS received over plain HTTP.
After meeting the criteria, submit the domain at hstspreload.org to actually get listed — the directive alone does nothing.