Strict
Transport
Verify in real time if your domain correctly delivers the HSTS header, meets all security directives, and is eligible for official browser preloading.
HSTS Checker – HTTP Strict Transport Security & Preload Validation
Verify in real time if your domain correctly delivers the HSTS header, meets all security directives, and is eligible for official browser preloading.
HSTS Checker: Audit Strict-Transport-Security Header & Preload Status
01What is HSTS (HTTP Strict Transport Security) and how does it protect domains?
HTTP Strict Transport Security (HSTS) is a powerful web security standard specified via an HTTP response header (RFC 6797). It forces browsers to communicate with a website exclusively through an encrypted HTTPS connection. When a user analyzes a domain on getbox.de, our tool checks whether the server delivers the `Strict-Transport-Security` header. Without HSTS, there is always a risk of unencrypted transmission on the initial site request or manual entry of 'http://'. HSTS eliminates this vulnerability by instructing the browser, after the initial successful handshake, to internally redirect any future HTTP requests to secure HTTPS before the request even leaves the local system.
02Mitigating SSL Stripping and Man-in-the-Middle (MitM) Attacks
The primary objective of HSTS is reliable defense against Man-in-the-Middle attacks, specifically 'SSL Stripping' (also known as the Moxie Marlinspike attack). In this attack vector, an attacker intercepts an unencrypted network (e.g., a public Wi-Fi) and captures the user's initial HTTP request. The attacker internally interfaces with the real server via HTTPS, but delivers a manipulated, unencrypted HTTP copy back to the user. Since the victim's browser believes it is communicating normally over HTTP, credentials, session cookies, and sensitive information are transmitted in plain text. A correctly configured HSTS header completely blocks this risk, as the browser strictly rejects unencrypted connections.
03Inside HSTS Directives: Max-Age, includeSubDomains, and Preload
A valid HSTS header consists of a combination of specific directives, whose syntax is meticulously verified by our tool: 1. **max-age=[seconds]:** Specifies how long (in seconds) the browser must remember that the site should only be accessed via HTTPS. A value of at least one year (`31536000`) is recommended for production environments. 2. **includeSubDomains:** This optional but highly recommended directive enforces HSTS protection across all subdomains (e.g., `api.yourdomain.com`). 3. **preload:** The critical token indicating to browsers that the domain owner consents to being included in the global HSTS preload list. Our parser breaks down these directives visually and highlights optimization opportunities.
04What is HSTS Preloading and why is it the ultimate security upgrade?
Standard HSTS has a conceptual vulnerability: 'Trust on First Use' (TOFU). On the very first visit to a website using a clean system, the browser does not yet know that the site enforces HSTS. At this exact moment, an SSL Stripping attack is still theoretically possible. To close this loophole, the Chromium project maintains an 'HSTS Preload List' hardcoded directly into browser source code, utilized by Chrome, Firefox, Safari, and Edge. If your domain is on this list, the browser requires HTTPS even before the first click. Our HSTS Checker validates the strict requirements for this listing: a valid SSL certificate, correct delivery on the apex domain, and meeting the minimum `max-age` duration including all subdomains.
05HSTS Deployment Risks: Why unplanned configurations can lock out subdomains
HSTS is an extremely sharp security tool that leaves no room for configuration errors. If you activate the `includeSubDomains` directive and your HSTS header becomes active, but a legacy internal subdomain (like an older intranet or a staging server) does not have a valid SSL certificate, the browser will block access to that subdomain entirely. This block cannot be bypassed or overridden by the user. Even removing the header from the server will not resolve it immediately, as browsers persistently store the directive in their local cache until `max-age` expires. Our tool provides a safe testing arena for administrators to thoroughly validate the header config before global rollouts.
Infrastructure Tip: Properly hardening HTTP response headers (HSTS, CSP, X-Frame-Options) is essential for modern IT compliance. To continuously monitor your server configurations and receive immediate alerts on certificate or header anomalies, deploying an automated security monitoring suite is paramount. Compare top enterprise security platforms here