Home All Checks Start Audit

HSTS Checker

Check whether the Strict-Transport-Security header is configured for forced HTTPS connections

Check Results

This only checks HSTS. For a comprehensive analysis, use the full page check.

You can also audit your entire site. Duplicate titles and descriptions, orphan pages, broken links between sections, and other site-wide issues can only be found with a full site audit.

If you don't have an SEO specialist, we can help fix the errors found.

Full Page Check Full Site Audit Fix Errors

What Is HSTS and Why It Matters

HSTS (HTTP Strict Transport Security) is a security mechanism that tells the browser: all subsequent connections to this site must use HTTPS only. The Strict-Transport-Security header is sent by the server in the HTTP response, and after receiving it, the browser automatically converts all HTTP requests to the domain into HTTPS without making an insecure connection.

HSTS Header Parameters

  • max-age — time in seconds during which the browser will force HTTPS. Recommended value is 31536000 (1 year)
  • includeSubDomains — extends HSTS policy to all subdomains. Important for protection against subdomain attacks
  • preload — allows adding the domain to the browser HSTS preload list, so protection works from the very first visit

Why HSTS Is Important for Security

Without HSTS, the first connection to a site may be made over HTTP, creating a window for a man-in-the-middle (MITM) attack. An attacker can intercept the unprotected request and redirect the user to a phishing site. HSTS eliminates this vulnerability — the browser will never send an HTTP request to a domain with an active HSTS policy.

How to Configure HSTS

  • Nginx — add to config: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  • Apache — use: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  • HSTS Preload — after configuring the header, submit your domain to hstspreload.org for inclusion in the browser preload list

HSTS and SEO

Proper HSTS configuration indirectly improves SEO. It ensures search bots always access the HTTPS version of pages, eliminates content duplication between HTTP and HTTPS, and speeds up loading by removing HTTP-to-HTTPS redirects. Google considers HTTPS a ranking factor, and HSTS ensures its unconditional use.

Frequently Asked Questions

What max-age value should I choose for HSTS?
Start with a small value, such as 300 (5 minutes), to verify your site fully works over HTTPS. Then increase to 86400 (1 day), then 604800 (1 week), and finally 31536000 (1 year). Inclusion in the HSTS Preload List requires max-age of at least 31536000.
Can HSTS be reversed after enabling it?
Yes, you can send a header with max-age=0, and browsers will remove the HSTS policy for the domain. However, if the domain was added to the HSTS Preload List, removal takes significant time as it requires browser updates. So before enabling preload, make sure HTTPS is reliably configured.
How is HSTS different from a regular HTTPS redirect?
A 301 redirect from HTTP to HTTPS is performed server-side — the browser first sends an unprotected HTTP request, then receives the redirect. HSTS works browser-side — it never sends an HTTP request, going directly to HTTPS. This is faster and more secure as it eliminates the unprotected connection.

Other Checks

Indexing Check
robots.txt Check
sitemap.xml Check
SSL Certificate Check
HTTP/HTTPS Check
www Redirect Check
Title Tag Check
Meta Description Check
Headings Check
Canonical Check
Viewport Check
Open Graph Check
Encoding Check
Image Format Check
Alt Tags Check
Lazy Loading Check
Internal Links Check
External Links Check
Broken Links Check
Structured Data Check
Compression Check
HTML Size Check
Render-blocking JS Check
Mixed Content Check
HSTS Check
URL Structure Check