Security headers · Check

HSTS max-age too short for preload — extending to one year

The HSTS preload list requires `max-age` of at least 31536000 seconds (one year). Shorter values keep regular HSTS working but disqualify the domain from preload, leaving the bootstrap window open for first-time visitors.

Real-world risk

Preload lists expect a long-lived policy; shorter max-age may exclude you from the benefit.

Fix steps (in order)

Set max-age to at least 31536000 (1 year) before pursuing preload.

Topic explainer

What is HSTS? HTTP Strict Transport Security explained →

How HSTS works, why the bootstrap window matters, what max-age and includeSubDomains do, and when (or whether) to submit your domain to the browser preload list.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (hsts_preload_max_age) clears once the externally-observable signal is in place.

Run a free scan Methodology

Loading…

Cookies and privacy

We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.

HSTS max-age too short for preload — extending to one year · Scorifya