logo
GeekFormat

HSTS Analyzer

Strict-Transport-Security Analyzer

Analyze whether the HSTS max-age, includeSubDomains, and preload combination meets browser and preload list requirements.

Parse Summary

max-age
365d 0h
includeSubDomains
Yes
preload
Yes
Directive Count
3
HSTS structure appears to have no obvious errors

Builder

max-age=31536000; includeSubDomains; preload

JSON Preview

{
  "directives": [
    {
      "key": "max-age",
      "value": "31536000"
    },
    {
      "key": "includesubdomains",
      "value": null
    },
    {
      "key": "preload",
      "value": null
    }
  ],
  "maxAgeSeconds": 31536000,
  "includeSubDomains": true,
  "preload": true,
  "warnings": []
}

Check HSTS online, assess HTTPS enforcement policy stability first.

Related

SSL Checker

Hreflang Tag Generator

Subnet Calculator

Sitemap Inspector

Unix Timestamp Converter

Time Tools

Use Cases

  • Before enforcing HTTPS site-wide, first confirm if HSTS duration and subdomain policy suit your environment
  • Configure reasonable max-age values and enable includeSubDomains via the generator during security remediation
  • Self-check configuration includes preload directive to meet browser requirements before applying for HSTS preload
  • Confirm HSTS response header is correctly returned and parse each directive when troubleshooting HTTPS downgrade access issues

Features

  • Key directives clearly separated: Duration, subdomain coverage, and preload conditions no longer mixed together
  • Self-check before enforcing HTTPS: Avoid amplifying misconfiguration across the entire site
  • Preload self-assessment: Help determine if HSTS header is close to preload requirements in advance
  • Quick configuration understanding: Intuitive result display for dev, ops, and security team collaboration

How to Use

  1. 1.Paste HSTS response header content into parser, or use generator to fill max-age seconds and check options
  2. 2.In parse mode, view max-age (readable duration), includeSubDomains, preload, and warnings
  3. 3.In generate mode, configure max-age seconds, check includeSubDomains and preload options
  4. 4.Copy generated HSTS content for server configuration or overwrite input area content to continue debugging

FAQ

What is HSTS used for?

HSTS tells browsers to only access this site via HTTPS, reducing downgrade attacks and man-in-the-middle risks. However, it's not suitable to blindly max out settings before the strategy is clear.

What do max-age, includeSubDomains, and preload mean?

max-age indicates HSTS effective duration, includeSubDomains means it also applies to subdomains, and preload relates to browser preload lists. This tool helps you break down each item.

Is it suitable for checking if a website meets HSTS preload requirements?

Yes. It helps you view if core fields are complete, facilitating pre-assessment of whether basic conditions for entering the preload list are met.

Why check HSTS before launch?

Improper configuration may lead to HTTPS policies being too loose or too strict. Parsing before launch helps discover missing fields, unreasonable values, or incomplete subdomain coverage earlier.