How to check if your site sends an HSTS header (and what “preload” means)
A practical mental model for Strict-Transport-Security: what scanners can observe on first request, how preload lists differ from a one-line header, and where Scorifya surfaces copy-ready fixes.
Confirm the header on the wire
The fastest sanity check is still looking at real response headers over HTTPS. Scorifya automates that observation path alongside other headers so you are not bouncing between five different single-purpose tools the night before launch.
If you landed here from search, you may prefer the dedicated HTTP security headers checker or the broader check website security headers explainer before running a scan.
Preload is a separate commitment
Sending includeSubDomains and preload is not the same thing as being on the Chromium preload list. Eligibility rules, minimum max-age, and the submission queue are documented by the preload program itself. We may surface informational hints when values resemble preload-oriented shapes, but inclusion is ultimately out of band from any single scan.
How this shows up in scoring
HSTS contributes like other defense-in-depth headers under published category weights. If you need exact penalties and edge cases, start from how scoring works so engineering and security stay aligned on what is in scope.
Try a scan on scorifya.com, read how we score, or see Pro for unlimited scans and exports.