Security headers · Check

HSTS missing preload — eligibility, requirements, and how to submit

Without preload, HSTS only takes effect after a user's first successful HTTPS visit — leaving a small bootstrap window where the very first request can still be intercepted. The browser preload list bakes your domain's HTTPS-only policy into the browser binary itself, eliminating that window entirely.

Why it matters

To qualify, the HSTS header must include `max-age` of at least 1 year, the `includeSubDomains` directive, and the `preload` directive — and you submit at hstspreload.org. It's a one-way trip (removal takes weeks), so confirm every subdomain works over HTTPS first.

Real-world risk

Without preload, some clients only enforce HSTS after the first successful HTTPS visit (bootstrap window).

Fix steps (in order)

If eligible, add preload and submit at https://hstspreload.org (requires max-age ≥ 1 year, includeSubDomains, preload).
Optional: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Topic explainer

What is HSTS? HTTP Strict Transport Security explained →

How HSTS works, why the bootstrap window matters, what max-age and includeSubDomains do, and when (or whether) to submit your domain to the browser preload list.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (hsts_preload_hint) clears once the externally-observable signal is in place.

Run a free scan Methodology