← All Tools
HSTS Header Builder & Validator
Compose a Strict-Transport-Security header (RFC 6797), parse existing ones, and check whether your policy meets the hstspreload.org submission rules.
Parse Existing Header
Paste a Strict-Transport-Security value (with or without the header name) to load it into the builder.
About HSTS & Preloading
- max-age=0 tells the browser to drop any prior HSTS state — use it to back out of a deployment.
- includeSubDomains applies the policy to every subdomain. Make sure they all serve HTTPS first.
- preload opts your site into the Chromium preload list shipped with browsers, removing the trust-on-first-use gap.
- Submission to hstspreload.org requires
max-age ≥ 31536000, both flags, a redirect from HTTP, and HTTPS on every subdomain.
- Removing a domain from the preload list can take months — start with a short max-age while testing.
Copied!