Should I submit to the HSTS preload list?

Only after you are certain HTTPS works on every subdomain and you will not need to serve HTTP for anything. Preload is hard to reverse — submitted to browser makers and baked into Chrome, Firefox, Safari.

HSTS

What is HSTS?

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a response header that tells browsers: "always use HTTPS for this domain, never HTTP, for the next N seconds." Once a browser sees this header, it refuses to make an HTTP connection to your domain — it auto-upgrades to HTTPS before even sending the request.

In more detail

Without HSTS, the first request to your site can happen over HTTP (if a user types the URL or clicks an old link). An attacker on the network can intercept that HTTP request and serve a fake page that never upgrades to HTTPS — called SSL stripping. HSTS prevents this by telling the browser to skip HTTP entirely after the first successful HTTPS visit.

The header has three parts: `max-age` (how long to remember), `includeSubDomains` (apply to all subdomains), and `preload` (submit to a list browsers ship with).

Standard HSTS header (1 year)

Strict-Transport-Security: max-age=31536000; includeSubDomains

Why this matters

Why builders care

HSTS is a one-line fix with no downside, as long as you have HTTPS working on every subdomain. On managed platforms like Vercel, it is usually enabled by default — but apps on *.vercel.app subdomains often need it added explicitly.

FAQ

Frequently asked questions

Should I submit to the HSTS preload list?: Only after you are certain HTTPS works on every subdomain and you will not need to serve HTTP for anything. Preload is hard to reverse — submitted to browser makers and baked into Chrome, Firefox, Safari.

Fix guides

Fix HSTS issues

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Expired SSL certificate

An expired certificate breaks your site — browsers show a big red warning. Here is how to renew and set up auto-renewal.

Free tools

Check it yourself

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

SSL checker

Certificate validity, TLS version, and cipher strength — in 10 seconds.

Related terms

Keep learning

SSL / TLS

The encryption protocols that power HTTPS. TLS 1.2 and 1.3 are current; older versions are deprecated.

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.