What Is HSTS Preload? How to Check & Enable It

HTTP strict transport security (HSTS) preload (also called HSTS preloading) ensures that browsers always connect to your website securely via the hypertext transfer protocol (HTTPS). It preloads your domain into a list that a browser checks before loading a domain, enforcing encrypted connections by default from the very first connection.  

This article covers what HSTS preload is, how to enable it, and how to check your domain’s HSTS preload status using tools like CertPanel SSL Monitor and the official HSTS preload website. 

What Is HSTS Preload? 

HSTS preload is a security feature where browsers such as Chrome, Firefox, and Safari maintain a list of domains that enforce HTTPS. When a domain is on one of these HSTS preload lists, it ensures: 

• No HTTP connections occur. 

• Automatic HTTPS redirection, even before a request reaches the server. 

Why is this necessary? Because there’s a tiny window of opportunity that cybercriminals can otherwise exploit — the brief period between when a browser starts to load a domain and when it can download the HSTS header. The HSTS preload approach eliminates the risk of man-in-the-middle (MITM) attacks by enforcing encryption from the very first connection (rather than making the browser wait to download a header). 

Now that we know what the HSTS preload feature is, let’s explore:  

• different ways to set up HTTP to HTTPS redirects (in Windows IIS, NGINX, Apache) 
• how to verify your domain’s HSTS preload status 
• how to ensure your HSTS setup is properly configured 
• ways to mitigate common HSTS preload issues  

How to Set Up HTTP to HTTPS Redirects 

All HTTP traffic must be redirected to HTTPS. Below are server-specific configurations: 

Windows Server (IIS Configuration) 

These instructions apply to IIS 7 and later (including IIS 8.5 and IIS 10). If you’re using an older version, some steps or URL Rewrite Module support may vary. 

• Visit Microsoft’s IIS website to download and install the URL Rewrite Module on your Windows Server. 
• Open IIS Manager and select your domain. 
• Configure HTTP to HTTPS redirection by editing the web.config file in the web root directory of your IIS website. 

Add an HTTP to HTTPS Redirection Block 

Add the following URL Rewrite rule in web.config (be sure to use your domain instead of our example domain [i.e., https://itsatestsite.online/]):  

<!-- URL Rewrite rule to redirect all HTTP traffic to HTTPS --> 
    <rewrite> 
      <rules> 
        <rule name="Redirect to HTTPS" stopProcessing="true"> 
          <match url="(.*)" /> 
          <conditions> 
            <add input="{HTTPS}" pattern="off" ignoreCase="true" /> 
          </conditions> 
          <action type="Redirect" url="https://itsatestsite.online/{R:1}" redirectType="Permanent" /> 
        </rule> 
      </rules> 
    </rewrite>

Add the HTTPS Block with HSTS and Other Security Headers 

<!-- HSTS Header (Required for preload) --> 
    <httpProtocol> 
      <customHeaders> 
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" /> 
      </customHeaders> 
    </httpProtocol>

Note: The <httpProtocol> section above adds the Strict-Transport-Security header, which is required for HSTS preload. This header tells browsers to always use HTTPS when connecting to your site and includes the necessary directives (max-age, includeSubDomains, and preload) for HSTS preload eligibility. 

Restart IIS to Apply the Changes 

Restart IIS by running the following command in PowerShell or Command Prompt in Admin mode: 

$ C:\Users\Administrator> iisreset 

NGINX Server Configuration 

These instructions are written for NGINX servers and may vary slightly based on the version you use. We‘ll start by covering Ubuntu and Debian users, then follow up with any syntax and variable-related changes for CentOS, Rocky Linux, or Red Hat Enterprise Linux (RHEL).  

Open the Configuration File 

• For Ubuntu/Debian users, here’s where you’ll find the NGINX configuration file (e.g., for a single-site setup): 

# sudo vim /etc/nginx/sites-available/default.conf

• For CentOS, RockyLinux, or Red Hat Enterprise Linux (RHEL) users, you’ll navigate to the following file path: 

# sudo vim /etc/nginx/nginx.conf

Or for site-specific configurations (note the conf.d directory shown below): 

# sudo vim /etc/nginx/conf.d/default.conf 

Note: Amazon Linux users can generally follow the CentOS instructions, as the directory structure and commands are nearly identical.  

Add an HTTP to HTTPS Redirection Block 

In this example, you’ll swap out the server_name example domain (e.g., itsatestsite.online) with your domain name: 

server { 
    listen 80; 
    server_name yourdomain.com; 
    return 301 https://$host$request_uri; 
}

Add the HTTPS Block with HSTS and Other Security Headers

Note: On some NGINX setups (e.g., Ubuntu), you may need to combine the certificate and the CA bundle. The private key should be specified separately for proper configuration.  

Replace the ssl_certificate and ssl_certificate_key file paths with those for your server: 

server { 

    listen 443 ssl; 
    server_name yourdomain.com; 

    root /var/www/html; 
    index index.html index.htm; 

    ssl_certificate /etc/ssl/certs/combined_certificate.crt; 
    ssl_certificate_key /etc/ssl/private/private_key.key; 

## Add security headers (the first one listed below is required for HSTS preload; the others are optional for enhanced security) 

# Required: Enforces HTTPS for all subdomains with long cache duration 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 

 # Optional: Restricts allowed content sources to improve script safety 
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' https:;" always; 

# Optional: Prevents your site from being embedded in frames 
    add_header X-Frame-Options "SAMEORIGIN" always;

# Optional: Stops browsers from MIME-sniffing a response away from the declared content-type 
    add_header X-Content-Type-Options "nosniff" always; 
 
# Optional: Controls how much referrer information is sent with requests
    add_header Referrer-Policy "strict-origin-when-cross-origin" always; 

# Optional: Disables access to various browser features for better privacy 
    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always; 

    location / { 
        try_files $uri $uri/ /index.html; 
    } 
} 

Restart NGINX to Apply the Changes 

The following commands work across all of the specified distributions.  

• The first checks your config file for syntax-related errors: 

# sudo nginx -t 

• The second restarts your server: 

# sudo systemctl restart nginx 

Apache Server Configuration 

The following guidance applies to Apache HTTP servers and may differ slightly depending on your operating system (e.g., Ubuntu, Debian, CentOS, Amazon or RHEL users etc.).  

Open the Virtual Host Configuration File 

You’ll need to open your Apache virtual host configuration file — this is usually required for a basic site setup. 

• For Ubuntu or Debian systems, you can edit the default site configuration at: 

# sudo vim /etc/apache2/sites-available/000-default.conf

Note: You may need to enable SSL module and site if using SSL for the first time on Ubuntu/Debian, which you can do using the following: 

# sudo a2enmod ssl 

# a2ensite default-ssl 

• For CentOS, Amazon Linux, RockyLinux, or RHEL, the relevant configuration file is typically located at: 

# sudo vim /etc/httpd/conf.d/ssl.conf	 

Open the Apache SSL Configuration File 

To open your config file, use the following command (but be sure to replace the example file name with yours): 

# sudo vim /etc/httpd/conf.d/example.com-ssl.conf 

Add an HTTP-to-HTTPS Redirection Block 

In this example, you’ll swap out the server_name example domain (e.g., itsatestsite.online) with your domain name:   

<VirtualHost *:80> 
  ServerName itsatestsite.online 
  DocumentRoot /var/www/html 

  # Redirect all HTTP traffic to HTTPS 
  Redirect permanent / https://itsatestsite.online/ 
</VirtualHost>

Add the HSTS Header Inside the SSL <VirtualHost> Block 

<VirtualHost *:443> 
  ServerName yourdomain.com 
  DocumentRoot /var/www/html 

  # SSL Configuration 
  SSLEngine on 
  SSLCertificateFile /etc/ssl/certs/yourdomain_com.crt 
  SSLCertificateKeyFile /etc/ssl/private/private_key.key 
  SSLCertificateChainFile /etc/ssl/certs/My_CA_Bundle.ca-bundle 

  # Add HSTS header 
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 
 
## The following additional security headers are optional but recommended 

# Restricts allowed sources of content to improve security  
 Header always set Content-Security-Policy "default-src https: 'self'" 
 
# Prevents the site from being embedded in frames to mitigate clickjacking 
  Header always set X-Frame-Options "DENY" 

# Stops browsers from MIME-sniffing a response away from the declared-type 
  Header always set X-Content-Type-Options "nosniff" 

# Controls how much referrer information is sent with requests 
  Header always set Referrer-Policy "strict-origin-when-cross-origin" 

# Disables access to browser features lie geolocation, mic, and camera 
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" 
</VirtualHost> 

Restart Apache to Apply the Changes 

• For Ubuntu/Debian users: 

# sudo apachectl configtest 
# sudo systemctl restart apache2 

• For CentOS, RHEL, RockyLinux and Amazon Linux users: 

# sudo apachectl configtest 
# sudo systemctl restart httpd 

Note: On some older systems, you might use service apache2 restart or service httpd restart instead of systemctl. 

Check the HSTS Preload Status 

Once the HSTS header is set and all redirects are correctly configured, verify if your domain qualifies for HSTS preload. 

How to Check and Submit Your Domain to the HSTS Preload List 

• Go to hstspreload.org. This is the official HSTS preload list that’s built into Google Chrome. (Virtually all major browsers use this list, although Firefox also has its own Firefox HSTS Preload list).
• Enter your domain name (e.g., itsatestsite.online): 
  • If all requirements are met, you can submit your domain. 
  • If you see “Pending Submission,” your request is under review. 

Verify Your HSTS-Related Configurations Using CertPanel SSL Monitor 

Using CertPanel SSL Monitor, you can confirm whether your HSTS headers and HTTPS setup are correct. 

• Log in to CertPanel and navigate to the SSL Monitor Scan Tool. 
• Enter your domain and initiate a scan. 
• Review the SSL Monitor Vulnerability report and check for: 
  • HSTS header presence with the correct preload directive. 
  • Proper HTTP to HTTPS redirects. 

Want to see just how easy it is to verify HSTS preload with CertPanel? Click through our demo below to see for yourself: 

Additional Steps to Ensure Proper Setup & Configuration of HSTS Preload 

If issues persist, consider these extra checks: 

Test HSTS with Online Tools 

Use online tools like site24x7’s SSL Test to verify if HSTS is enabled on your server. This tool will show the HSTS status, along with additional details about your SSL/TLS configuration. 

Verify HTTP-to-HTTPS Redirects Using cURL 

Run the following command: 

# curl -I http://itsatestsite.online 

Expected output: 

HTTP/1.1 301 Moved Permanently 

Location: https://itsatestsite.online

Check HSTS Preload Submission 

Go to hstspreload.org and verify if your domain is listed. 

Troubleshooting HSTS Preload Issues 

If submission to the HSTS Preload List fails or HSTS doesn’t work: 

• Ensure the preload directive is added to the HSTS header. 
• Verify that all subdomains are redirected to HTTPS. 
• Re-check hstspreload.org and CertPanel SSL Monitor for misconfigurations. 

Final Thoughts

HSTS preload strengthens security by forcing browsers to enforce HTTPS from the first connection. Using tools like hstspreload.org for submission and CertPanel SSL Monitor for validation ensures proper implementation. Following the server-specific steps outlined here, along with additional verification methods, will help you maintain a secure web presence.