Strict-Transport-Security Inspect
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste Strict-Transport-Security and click “Parse”. Directives are listed.
Notes (this tool)
- Accepts a Strict-Transport-Security: header line.
About this page
What does this tool do?
Parse Strict-Transport-Security (HSTS) and list directives such as max-age.
Useful for verifying HTTPS enforcement and preload requirements.
Pair it with HTTP Header Parser to check real response headers quickly.
HSTS basics
- HSTS tells browsers to use HTTPS only going forward.
- max-age is the lifetime in seconds.
- includeSubDomains applies the policy to subdomains.
Typical use cases
- Confirm HTTPS enforcement is working as intended
- Enforce HTTPS on subdomains (includeSubDomains)
- Check requirements before HSTS Preload submission
Common directives
- max-age=31536000 (1 year), etc.
- includeSubDomains
- preload (for preload list submission)
Syntax (how to read)
HSTS is specified as semicolon-separated directives like "Strict-Transport-Security: max-age=...; includeSubDomains; preload".
- max-age is required and must be an integer (seconds).
- includeSubDomains/preload are flags (no values).
Security angle (what it protects)
HSTS helps prevent downgrade/SSL-stripping attacks by forcing HTTPS after the policy is learned.
However, it is not fully effective before the first visit unless you use preload.
How to think about preload
preload is a submission flag for the browser’s built-in HSTS list. Once listed, HTTPS is enforced even before first visit.
- Treat it as “nearly irreversible” operationally (all subdomains must be HTTPS)
- If you enable it without meeting requirements, legacy subdomains/environments may break
Safer rollout steps (example)
- 1) Start with a short max-age (e.g., 1 day)
- 2) Gradually increase (1 week → 1 month → 1 year)
- 3) Once all subdomains are HTTPS-ready, consider includeSubDomains
- 4) preload last (only if you meet submission requirements)
Common pitfalls
- max-age too short to meet intended enforcement
- includeSubDomains breaks subdomains not HTTPS-ready
- preload set without meeting required HTTPS/redirect conditions
- Dev/staging subdomains are still HTTP-only
Related headers (strong together)
Since HSTS assumes HTTPS, pairing it with other security headers increases overall effectiveness.
- CSP (Content-Security-Policy): XSS and source control
- Referrer-Policy: reduce referrer leakage
- Permissions-Policy: control powerful browser features
What this tool does
- Split HSTS directives
- Inspect max-age value
- Check includeSubDomains/preload flags
Debugging workflow (recommended)
- Paste target security headers
- Check missing and overly permissive policies
- Validate with Report-Only and phased rollout
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- RFC 6797 (HTTP Strict Transport Security)
- MDN: Strict-Transport-Security
FAQ
Does HSTS fully disable HTTP?
Browsers will force HTTPS for the host. Be careful with includeSubDomains if some subdomains are not HTTPS-ready.
Should I always set preload?
Preload is nearly irreversible; use it only when HTTPS is guaranteed for all subdomains.
What max-age is common?
In production, “months to one year” is common, but it’s safer to start short and increase gradually.
References
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- Security Headers Audit — Audit presence of major security headers
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
Same-theme links
Security Headers
Go from missing-header detection to concrete fix planning
- Security Headers Audit — Audit presence of major security headers
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
- CSP Builder — Build CSP policies from templates
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- CSP Inspect — Parse and evaluate CSP directives
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff
Example
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload