← Blog

HSTS Preloading Guide: How to Secure Your Domain at the Browser Level

2 min read
#hsts#preloading#security#https#headers

HTTP Strict Transport Security (HSTS) is a powerful security header, but "HSTS Preloading" takes it to the next level. By getting your domain on the global HSTS preload list, you ensure that browsers never even attempt an insecure connection to your site-protecting your users from the very first request.

Standard HSTS protects users on their second visit. HSTS Preloading protects them from the first second.

1. What is HSTS Preloading?

While a standard HSTS header tells a browser to use HTTPS after the first visit, HSTS Preloading is a list built into the browser itself (Chrome, Firefox, Safari). If your domain is on this list, the browser will automatically use HTTPS even if the user has never visited your site before.

The Benefit

It prevents "SSL Stripping" attacks where an attacker intercepts the very first http:// request before the HSTS header can be delivered.

2. Requirements for Preloading

To be eligible for the HSTS preload list, your header must meet strict criteria:

  1. Valid SSL: You must have a valid certificate.
  2. Redirect All Traffic: Redirect from HTTP to HTTPS on the same host.
  3. All Subdomains: Serve HSTS for all subdomains.
  4. Long Max-Age: At least 1 year (31536000 seconds).
  5. IncludeSubDomains: The directive must be present.
  6. Preload Directive: The preload flag must be present.

Example Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

3. The Risks of Preloading

Warning: HSTS Preloading is difficult to undo. If you enable it and one of your subdomains doesn't support HTTPS, that subdomain will become completely inaccessible to users.

  • Irreversible: Removal from the list can take months.
  • No Fallback: You cannot serve any content over plain HTTP once preloaded.

4. How to Submit Your Domain

  1. Configure your server with the correct header.
  2. Verify your configuration using our Security Headers Tool.
  3. Go to hstspreload.org and enter your domain.
  4. Check for any errors and click "Submit".

Conclusion

HSTS Preloading is the "Gold Standard" of web transport security. It provides absolute certainty that your users are always using an encrypted connection. However, due to its restrictive nature, ensure every part of your infrastructure is HTTPS-ready before taking the plunge.

Audit your HSTS settings now →