{"id":1160,"date":"2025-05-06T08:57:00","date_gmt":"2025-05-06T08:57:00","guid":{"rendered":"https:\/\/certpanelresources.flywheelsites.com\/?page_id=1160"},"modified":"2025-06-12T19:16:50","modified_gmt":"2025-06-12T19:16:50","slug":"what-is-hsts-preload-how-to-check-hsts-is-enabled","status":"publish","type":"page","link":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/","title":{"rendered":"What Is HSTS Preload? How to Check &amp; Enable It"},"content":{"rendered":"\n<p><strong>HTTP strict transport security (HSTS) preload<\/strong> (also called <strong>HSTS preloading<\/strong>) ensures that browsers always connect to your website securely via the hypertext transfer protocol (HTTPS). It preloads your domain into a list that a browser checks before loading a domain, enforcing encrypted connections by default from the very first connection.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This article covers what HSTS preload is, how to enable it, and how to check your domain\u2019s HSTS preload status using tools like CertPanel SSL Monitor and the official HSTS preload website.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What Is HSTS Preload?&nbsp;<\/strong><\/h2>\n\n\n\n<p>HSTS preload is a security feature where browsers such as Chrome, Firefox, and Safari maintain a list of domains that enforce HTTPS. When a domain is on one of these HSTS preload lists, it ensures:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No HTTP connections occur.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automatic HTTPS redirection, even before a request reaches the server.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Why is this necessary? Because there\u2019s a tiny window of opportunity that cybercriminals can otherwise exploit \u2014 the brief period between when a browser starts to load a domain and when it can download the HSTS header. The HSTS preload approach eliminates the risk of man-in-the-middle (MITM) attacks by enforcing encryption from the very first connection (rather than making the browser wait to download a header).&nbsp;<\/p>\n\n\n\n<p>Now that we know what the HSTS preload feature is, let\u2019s explore:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#http-to-hsts-redirects\">different ways to set up HTTP to HTTPS redirects (in Windows IIS, NGINX, Apache)<\/a>\u00a0<\/li>\n\n\n\n<li><a href=\"#check-hsts-preload\">how to verify your domain\u2019s HSTS preload status<\/a>\u00a0<\/li>\n\n\n\n<li><a href=\"#check-hsts-configuration\">how to ensure your HSTS setup is properly configured<\/a>\u00a0<\/li>\n\n\n\n<li><a href=\"#mitigate-hsts-preload-issues\">ways to mitigate common HSTS preload issues<\/a>\u2003\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"http-to-hsts-redirects\"><strong>How to Set Up HTTP to HTTPS Redirects&nbsp;<\/strong><\/h2>\n\n\n\n<p>All HTTP traffic must be redirected to HTTPS. Below are server-specific configurations:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Windows Server (IIS Configuration)&nbsp;<\/strong><\/h3>\n\n\n\n<p>These instructions apply to IIS 7 and later (including IIS 8.5 and IIS 10). If you&#8217;re using an older version, some steps or URL Rewrite Module support may vary.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Visit Microsoft\u2019s IIS website to download and install the <a href=\"https:\/\/www.iis.net\/downloads\/microsoft\/url-rewrite\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>URL Rewrite Module<\/strong><\/a> on your Windows Server.&nbsp;<\/li>\n\n\n\n<li>Open <strong>IIS Manager<\/strong> and select your domain.&nbsp;<\/li>\n\n\n\n<li>Configure HTTP to HTTPS redirection by editing the <strong>web.config<\/strong> file in the web root directory of your IIS website.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Add an HTTP to HTTPS Redirection Block&nbsp;<\/strong><\/h4>\n\n\n\n<p>Add the following URL Rewrite rule in <strong>web.config <\/strong>(be sure to use your domain instead of our example domain [i.e., <a href=\"https:\/\/itsatestsite.online\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/itsatestsite.online\/<\/a>]):&nbsp;&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;!-- URL Rewrite rule to redirect all HTTP traffic to HTTPS --&gt;&nbsp;\n&nbsp;&nbsp;&nbsp; &lt;rewrite&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rules&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rule name=\"Redirect to HTTPS\" stopProcessing=\"true\"&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;match url=\"(.*)\" \/&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;conditions&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;add input=\"{HTTPS}\" pattern=\"off\" ignoreCase=\"true\" \/&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;\/conditions&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;action type=\"Redirect\" url=\"https:\/\/itsatestsite.online\/{R:1}\" redirectType=\"Permanent\" \/&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;\/rule&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;\/rules&gt;&nbsp;\n&nbsp;&nbsp;&nbsp; &lt;\/rewrite&gt;<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Add the HTTPS Block with HSTS and Other Security Headers&nbsp;<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;!-- HSTS Header (Required for preload)&nbsp;--&gt;&nbsp;\n&nbsp;&nbsp;&nbsp; &lt;httpProtocol&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;customHeaders&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;add name=\"Strict-Transport-Security\" value=\"max-age=31536000; includeSubDomains; preload\" \/&gt;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;\/customHeaders&gt;&nbsp;\n&nbsp;&nbsp;&nbsp; &lt;\/httpProtocol&gt;<\/code><\/pre>\n\n\n\n<p><strong>Note:<\/strong> The <em>&lt;httpProtocol&gt;<\/em> section above adds the Strict-Transport-Security header, which is required for HSTS preload. This header tells browsers to always use HTTPS when connecting to your site and includes the necessary directives (<em>max-age<\/em>, <em>includeSubDomains<\/em>, and <em>preload<\/em>) for HSTS preload eligibility.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Restart IIS to Apply the Changes&nbsp;<\/strong><\/h4>\n\n\n\n<p>Restart IIS by running the following command in PowerShell or Command Prompt in Admin mode:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ C:\\Users\\Administrator&gt; iisreset&nbsp;<\/code><\/pre>\n\n\n\n<div>\n  <script async src=\"https:\/\/js.storylane.io\/js\/v2\/storylane.js\"><\/script>\n  <div class=\"sl-embed\" style=\"position:relative;padding-bottom:calc(56.25% + 25px);width:100%;height:0;transform:scale(1)\">\n    <iframe loading=\"lazy\" class=\"sl-demo\" src=\"https:\/\/app.storylane.io\/demo\/yy8rj50fasnq?embed=inline\" name=\"sl-embed\" allow=\"fullscreen\" allowfullscreen style=\"position:absolute;top:0;left:0;width:100%!important;height:100%!important;border:1px solid rgba(63,95,172,0.35);box-shadow: 0px 0px 18px rgba(26, 19, 72, 0.15);border-radius:10px;box-sizing:border-box;\"><\/iframe>\n  <\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>NGINX Server Configuration&nbsp;<\/strong><\/h3>\n\n\n\n<p>These instructions are written for NGINX servers and may vary slightly based on the version you use. We\u2018ll start by covering <strong>Ubuntu<\/strong> and <strong>Debian<\/strong> users, then follow up with any syntax and variable-related changes for <strong>CentOS<\/strong>, <strong>Rocky Linux<\/strong>, or <strong>Red Hat Enterprise Linux (RHEL)<\/strong>.&nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Open the Configuration File&nbsp;<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For <strong>Ubuntu\/Debian users<\/strong>, here\u2019s where you\u2019ll find the NGINX configuration file (e.g., for a single-site setup):&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo vim \/etc\/nginx\/sites-available\/default.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For <strong>CentOS<\/strong>, <strong>RockyLinux<\/strong>, or <strong>Red Hat Enterprise Linux (RHEL)<\/strong> users, you\u2019ll navigate to the following file path:&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo vim \/etc\/nginx\/nginx.conf<\/code><\/pre>\n\n\n\n<p>Or for site-specific configurations (note the conf.d directory shown below):&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo vim \/etc\/nginx\/conf.d\/default.conf <\/code><\/pre>\n\n\n\n<p><strong>Note:<\/strong> Amazon Linux users can generally follow the CentOS instructions, as the directory structure and commands are nearly identical.&nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Add an HTTP to HTTPS Redirection Block&nbsp;<\/strong><\/h4>\n\n\n\n<p>In this example, you\u2019ll swap out the <em>server_name<\/em> example domain (e.g., itsatestsite.online) with your domain name:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server {&nbsp;\n&nbsp;&nbsp;&nbsp; listen 80;&nbsp;\n&nbsp;&nbsp;&nbsp; server_name yourdomain.com;&nbsp;\n&nbsp;&nbsp;&nbsp; return 301 https:\/\/$host$request_uri;&nbsp;\n}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Add the HTTPS Block with HSTS and Other Security Headers<\/strong><\/h4>\n\n\n\n<p><strong>Note: <\/strong>On some NGINX setups (e.g., Ubuntu), you may need to combine the certificate and the CA bundle. The private key should be specified separately for proper configuration.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Replace the <em>ssl_certificate<\/em> and <em>ssl_certificate_key<\/em> file paths with those for your server:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server { \n\n    listen 443 ssl; \n    server_name yourdomain.com; \n\n    root \/var\/www\/html; \n    index index.html index.htm; \n\n    ssl_certificate \/etc\/ssl\/certs\/combined_certificate.crt; \n    ssl_certificate_key \/etc\/ssl\/private\/private_key.key; \n\n<strong>## Add security headers (the first one listed below is required for HSTS preload; the others are optional for enhanced security) <\/strong>\n\n<strong># Required: Enforces HTTPS for all subdomains with long cache duration <\/strong>\n    add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always; \n\n<strong> # Optional: Restricts allowed content sources to improve script safety <\/strong>\n    add_header Content-Security-Policy \"default-src 'self'; script-src 'self' https:;\" always; \n\n<strong># Optional: Prevents your site from being embedded in frames <\/strong>\n    add_header X-Frame-Options \"SAMEORIGIN\" always;\n\n<strong># Optional: Stops browsers from MIME-sniffing a response away from the declared content-type <\/strong>\n    add_header X-Content-Type-Options \"nosniff\" always; \n \n<strong># Optional: Controls how much referrer information is sent with requests<\/strong>\n    add_header Referrer-Policy \"strict-origin-when-cross-origin\" always; \n\n<strong># Optional: Disables access to various browser features for better privacy <\/strong>\n    add_header Permissions-Policy \"accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()\" always; \n\n    location \/ { \n        try_files $uri $uri\/ \/index.html; \n    } \n} <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Restart NGINX to Apply the Changes<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The following commands work across all of the specified distributions.&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The first checks your config file for syntax-related errors:\u00a0<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo nginx -t&nbsp;<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The second restarts your server:&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo systemctl restart nginx <\/code><\/pre>\n\n\n\n<div>\n  <script async src=\"https:\/\/js.storylane.io\/js\/v2\/storylane.js\"><\/script>\n  <div class=\"sl-embed\" style=\"position:relative;padding-bottom:calc(56.25% + 25px);width:100%;height:0;transform:scale(1)\">\n    <iframe loading=\"lazy\" class=\"sl-demo\" src=\"https:\/\/app.storylane.io\/demo\/qgxwgoyiwrsa?embed=inline\" name=\"sl-embed\" allow=\"fullscreen\" allowfullscreen style=\"position:absolute;top:0;left:0;width:100%!important;height:100%!important;border:1px solid rgba(63,95,172,0.35);box-shadow: 0px 0px 18px rgba(26, 19, 72, 0.15);border-radius:10px;box-sizing:border-box;\"><\/iframe>\n  <\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Apache Server Configuration&nbsp;<\/strong><\/h3>\n\n\n\n<p>The following guidance applies to Apache HTTP servers and may differ slightly depending on your operating system (e.g., Ubuntu, Debian, CentOS, Amazon or RHEL users etc.).&nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Open the Virtual Host Configuration File&nbsp;<\/strong><\/h4>\n\n\n\n<p>You&#8217;ll need to open your Apache virtual host configuration file \u2014 this is usually required for a basic site setup.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For <strong>Ubuntu or Debian <\/strong>systems, you can edit the default site configuration at:&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo vim \/etc\/apache2\/sites-available\/000-default.conf<\/code><\/pre>\n\n\n\n<p><strong>Note: <\/strong>You may need to enable SSL module and site if using SSL for the first time on Ubuntu\/Debian, which you can do using the following:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo a2enmod ssl \n\n# a2ensite default-ssl <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For <strong>CentOS<\/strong>, <strong>Amazon Linux<\/strong>, <strong>RockyLinux<\/strong>, or <strong>RHEL<\/strong>, the relevant configuration file is typically located at:&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo vim \/etc\/httpd\/conf.d\/ssl.conf\t <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Open the Apache SSL Configuration File&nbsp;<\/strong><\/h4>\n\n\n\n<p>To open your config file, use the following command (but be sure to replace the example file name with yours):&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo vim \/etc\/httpd\/conf.d\/example.com-ssl.conf <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Add an HTTP-to-HTTPS Redirection Block&nbsp;<\/strong><\/h4>\n\n\n\n<p>In this example, you\u2019ll swap out the server_name example domain (e.g., itsatestsite.online) with your domain name:<strong>&nbsp;&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;VirtualHost *:80>\u00a0\n\u00a0 ServerName itsatestsite.online\u00a0\n\u00a0 DocumentRoot \/var\/www\/html\u00a0\n\n<strong>\u00a0 # Redirect all HTTP traffic to HTTPS\u00a0<\/strong>\n\u00a0 Redirect permanent \/ https:\/\/itsatestsite.online\/\u00a0\n&lt;\/VirtualHost><\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Add the HSTS Header Inside the SSL &lt;VirtualHost&gt; Block&nbsp;<\/strong><\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;VirtualHost *:443&gt; \n  ServerName yourdomain.com \n  DocumentRoot \/var\/www\/html \n\n<strong>  # SSL Configuration <\/strong>\n  SSLEngine on \n  SSLCertificateFile \/etc\/ssl\/certs\/yourdomain_com.crt \n  SSLCertificateKeyFile \/etc\/ssl\/private\/private_key.key \n  SSLCertificateChainFile \/etc\/ssl\/certs\/My_CA_Bundle.ca-bundle \n\n<strong>  # Add HSTS header <\/strong>\n  Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" \n \n<strong>## The following additional security headers are optional but recommended <\/strong>\n\n<strong># Restricts allowed sources of content to improve security  <\/strong>\n Header always set Content-Security-Policy \"default-src https: 'self'\" \n \n<strong># Prevents the site from being embedded in frames to mitigate clickjacking <\/strong>\n  Header always set X-Frame-Options \"DENY\" \n\n<strong># Stops browsers from MIME-sniffing a response away from the declared-type <\/strong>\n  Header always set X-Content-Type-Options \"nosniff\" \n\n<strong># Controls how much referrer information is sent with requests<\/strong> \n  Header always set Referrer-Policy \"strict-origin-when-cross-origin\" \n\n<strong># Disables access to browser features lie geolocation, mic, and camera <\/strong>\n  Header always set Permissions-Policy \"geolocation=(), microphone=(), camera=()\" \n&lt;\/VirtualHost&gt; <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Restart Apache to Apply the Changes&nbsp;<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For Ubuntu\/Debian users:<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo apachectl configtest \n# sudo systemctl restart apache2 <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For CentOS, RHEL, RockyLinux and Amazon Linux users:<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># sudo apachectl configtest \n# sudo systemctl restart httpd <\/code><\/pre>\n\n\n\n<p><strong>Note:<\/strong> On some older systems, you might use <em>service apache2 restart<\/em> or <em>service httpd restart<\/em> instead of <em>systemctl<\/em>.&nbsp;<\/p>\n\n\n\n<div>\n  <script async src=\"https:\/\/js.storylane.io\/js\/v2\/storylane.js\"><\/script>\n  <div class=\"sl-embed\" style=\"position:relative;padding-bottom:calc(56.25% + 25px);width:100%;height:0;transform:scale(1)\">\n    <iframe loading=\"lazy\" class=\"sl-demo\" src=\"https:\/\/app.storylane.io\/demo\/3plxcpgbrwnh?embed=inline\" name=\"sl-embed\" allow=\"fullscreen\" allowfullscreen style=\"position:absolute;top:0;left:0;width:100%!important;height:100%!important;border:1px solid rgba(63,95,172,0.35);box-shadow: 0px 0px 18px rgba(26, 19, 72, 0.15);border-radius:10px;box-sizing:border-box;\"><\/iframe>\n  <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"check-hsts-preload\"><strong>Check the HSTS Preload Status<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Once the HSTS header is set and all redirects are correctly configured, verify if your domain qualifies for HSTS preload.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How to Check and Submit Your Domain to the HSTS Preload List&nbsp;<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Go to <a href=\"https:\/\/hstspreload.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">hstspreload.org<\/a>.<\/strong>&nbsp;This is the official HSTS preload list that\u2019s built into Google Chrome. (Virtually all major browsers use this list, although Firefox also has its own <a href=\"https:\/\/searchfox.org\/mozilla-central\/source\/security\/manager\/ssl\/nsSTSPreloadList.inc\" target=\"_blank\" rel=\"noreferrer noopener\">Firefox HSTS Preload list<\/a>).<\/li>\n\n\n\n<li><strong>Enter your domain name (e.g., itsatestsite.online):<\/strong>&nbsp;\n<ul class=\"wp-block-list\">\n<li>If all requirements are met, you can submit your domain.&nbsp;<\/li>\n\n\n\n<li>If you see &#8220;Pending Submission,&#8221; your request is under review.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"http:\/\/certpanelresources.flywheelsites.com\/wp-content\/uploads\/image-1-1024x576.png\" alt=\"\" class=\"wp-image-1477\" srcset=\"https:\/\/certpanel.com\/resources\/wp-content\/uploads\/image-1-1024x576.png 1024w, https:\/\/certpanel.com\/resources\/wp-content\/uploads\/image-1-300x169.png 300w, https:\/\/certpanel.com\/resources\/wp-content\/uploads\/image-1-768x432.png 768w, https:\/\/certpanel.com\/resources\/wp-content\/uploads\/image-1.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"check-hsts-configuration\"><strong>Verify Your HSTS-Related Configurations Using CertPanel SSL Monitor&nbsp;<\/strong><\/h3>\n\n\n\n<p>Using <a href=\"https:\/\/certpanel.com\/ssl-monitor\" target=\"_blank\" rel=\"noreferrer noopener\">CertPanel SSL Monitor<\/a>, you can confirm whether your HSTS headers and HTTPS setup are correct.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log in to CertPanel and navigate to the <strong>SSL Monitor Scan Tool<\/strong>.&nbsp;<\/li>\n\n\n\n<li>Enter your domain and initiate a scan.&nbsp;<\/li>\n\n\n\n<li>Review the SSL Monitor Vulnerability report and check for:&nbsp;\n<ul class=\"wp-block-list\">\n<li>HSTS header presence with the correct preload directive.&nbsp;<\/li>\n\n\n\n<li>Proper HTTP to HTTPS redirects.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Want to see just how easy it is to verify HSTS preload with CertPanel? Click through our demo below to see for yourself:&nbsp;<\/p>\n\n\n\n<div>\n  <script async src=\"https:\/\/js.storylane.io\/js\/v2\/storylane.js\"><\/script>\n  <div class=\"sl-embed\" style=\"position:relative;padding-bottom:calc(56.25% + 25px);width:100%;height:0;transform:scale(1)\">\n    <iframe loading=\"lazy\" class=\"sl-demo\" src=\"https:\/\/app.storylane.io\/demo\/dolxlfe1tbqe?embed=inline\" name=\"sl-embed\" allow=\"fullscreen\" allowfullscreen style=\"position:absolute;top:0;left:0;width:100%!important;height:100%!important;border:1px solid rgba(63,95,172,0.35);box-shadow: 0px 0px 18px rgba(26, 19, 72, 0.15);border-radius:10px;box-sizing:border-box;\"><\/iframe>\n  <\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mitigate-hsts-preload-issues\"><strong>Additional Steps to Ensure Proper Setup &amp; Configuration of HSTS Preload<\/strong>&nbsp;<\/h3>\n\n\n\n<p>If issues persist, consider these extra checks:&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Test HSTS with Online Tools&nbsp;<\/strong><\/h4>\n\n\n\n<p>Use online tools like <a href=\"https:\/\/www.site24x7.com\/tools\/hsts.html\">site24x7&#8217;s SSL Test<\/a> to verify if HSTS is enabled on your server. This tool will show the HSTS status, along with additional details about your SSL\/TLS configuration.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Verify HTTP-to-HTTPS Redirects Using cURL<\/strong>&nbsp;<\/h4>\n\n\n\n<p><strong>Run the following command:&nbsp;<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># curl -I <a href=\"http:\/\/itsatestsite.online\/\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/itsatestsite.online<\/a>&nbsp;<\/code><\/pre>\n\n\n\n<p><strong>Expected output<\/strong>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>HTTP\/1.1 301 Moved Permanently&nbsp;\n\nLocation: https:\/\/itsatestsite.online<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Check HSTS Preload Submission<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Go to <a href=\"https:\/\/hstspreload.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">hstspreload.org<\/a> and verify if your domain is listed.&nbsp;<\/p>\n\n\n\n<div>\n  <script async src=\"https:\/\/js.storylane.io\/js\/v2\/storylane.js\"><\/script>\n  <div class=\"sl-embed\" style=\"position:relative;padding-bottom:calc(56.25% + 25px);width:100%;height:0;transform:scale(1)\">\n    <iframe loading=\"lazy\" class=\"sl-demo\" src=\"https:\/\/app.storylane.io\/demo\/0vxac4dzvzl8?embed=inline\" name=\"sl-embed\" allow=\"fullscreen\" allowfullscreen style=\"position:absolute;top:0;left:0;width:100%!important;height:100%!important;border:1px solid rgba(63,95,172,0.35);box-shadow: 0px 0px 18px rgba(26, 19, 72, 0.15);border-radius:10px;box-sizing:border-box;\"><\/iframe>\n  <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Troubleshooting HSTS Preload Issues<\/strong>&nbsp;<\/h2>\n\n\n\n<p>If submission to the HSTS Preload List fails or HSTS doesn\u2019t work:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure the preload directive is added to the HSTS header.&nbsp;<\/li>\n\n\n\n<li>Verify that all subdomains are redirected to HTTPS.&nbsp;<\/li>\n\n\n\n<li>Re-check hstspreload.org and CertPanel SSL Monitor for misconfigurations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Final Thoughts<\/strong><\/h2>\n\n\n\n<p>HSTS preload strengthens security by forcing browsers to enforce HTTPS from the first connection. Using tools like hstspreload.org for submission and CertPanel SSL Monitor for validation ensures proper implementation. Following the server-specific steps outlined here, along with additional verification methods, will help you maintain a secure web presence.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HTTP strict transport security (HSTS) preload (also called HSTS preloading) ensures that browsers always connect to your website securely via the hypertext transfer protocol (HTTPS). It preloads your domain into a list that a browser checks before loading a domain, enforcing encrypted connections by default from the very first connection.&nbsp;&nbsp; This article covers what HSTS<\/p>\n","protected":false},"author":10,"featured_media":1825,"parent":1153,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"wp-custom-template-expert-guides-detail","meta":{"_acf_changed":false,"_eb_attr":"","footnotes":""},"class_list":["post-1160","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What Is HSTS Preload? How to Check &amp; Enable It<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What Is HSTS Preload? How to Check &amp; Enable It\" \/>\n<meta property=\"og:description\" content=\"HTTP strict transport security (HSTS) preload (also called HSTS preloading) ensures that browsers always connect to your website securely via the hypertext transfer protocol (HTTPS). It preloads your domain into a list that a browser checks before loading a domain, enforcing encrypted connections by default from the very first connection.&nbsp;&nbsp; This article covers what HSTS\" \/>\n<meta property=\"og:url\" content=\"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-12T19:16:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/certpanel.com\/resources\/wp-content\/uploads\/hsts-preload-featurex.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"418\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/\",\"url\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/\",\"name\":\"What Is HSTS Preload? How to Check &amp; Enable It\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/wp-content\\\/uploads\\\/hsts-preload-featurex.jpg\",\"datePublished\":\"2025-05-06T08:57:00+00:00\",\"dateModified\":\"2025-06-12T19:16:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/#primaryimage\",\"url\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/wp-content\\\/uploads\\\/hsts-preload-featurex.jpg\",\"contentUrl\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/wp-content\\\/uploads\\\/hsts-preload-featurex.jpg\",\"width\":418,\"height\":200,\"caption\":\"Thumbnail feature image for a CertPanel Resource article on HSTS Preload\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/hsts-preload-how-to-check-status-and-enable\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Expert Guides\",\"item\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/expert-guides\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SSL\\\/TLS Best Practices\",\"item\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/ssl-tls-best-practices\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"What Is HSTS Preload? How to Check &amp; Enable It\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/#website\",\"url\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/\",\"name\":\"\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/certpanel.com\\\/resources\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What Is HSTS Preload? How to Check &amp; Enable It","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/","og_locale":"en_US","og_type":"article","og_title":"What Is HSTS Preload? How to Check &amp; Enable It","og_description":"HTTP strict transport security (HSTS) preload (also called HSTS preloading) ensures that browsers always connect to your website securely via the hypertext transfer protocol (HTTPS). It preloads your domain into a list that a browser checks before loading a domain, enforcing encrypted connections by default from the very first connection.&nbsp;&nbsp; This article covers what HSTS","og_url":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/","article_modified_time":"2025-06-12T19:16:50+00:00","og_image":[{"width":418,"height":200,"url":"https:\/\/certpanel.com\/resources\/wp-content\/uploads\/hsts-preload-featurex.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/","url":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/","name":"What Is HSTS Preload? How to Check &amp; Enable It","isPartOf":{"@id":"https:\/\/certpanel.com\/resources\/#website"},"primaryImageOfPage":{"@id":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/#primaryimage"},"image":{"@id":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/#primaryimage"},"thumbnailUrl":"https:\/\/certpanel.com\/resources\/wp-content\/uploads\/hsts-preload-featurex.jpg","datePublished":"2025-05-06T08:57:00+00:00","dateModified":"2025-06-12T19:16:50+00:00","breadcrumb":{"@id":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/#primaryimage","url":"https:\/\/certpanel.com\/resources\/wp-content\/uploads\/hsts-preload-featurex.jpg","contentUrl":"https:\/\/certpanel.com\/resources\/wp-content\/uploads\/hsts-preload-featurex.jpg","width":418,"height":200,"caption":"Thumbnail feature image for a CertPanel Resource article on HSTS Preload"},{"@type":"BreadcrumbList","@id":"https:\/\/certpanel.com\/resources\/hsts-preload-how-to-check-status-and-enable\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/certpanel.com\/resources\/"},{"@type":"ListItem","position":2,"name":"Expert Guides","item":"https:\/\/certpanel.com\/resources\/expert-guides\/"},{"@type":"ListItem","position":3,"name":"SSL\/TLS Best Practices","item":"https:\/\/certpanel.com\/resources\/ssl-tls-best-practices\/"},{"@type":"ListItem","position":4,"name":"What Is HSTS Preload? How to Check &amp; Enable It"}]},{"@type":"WebSite","@id":"https:\/\/certpanel.com\/resources\/#website","url":"https:\/\/certpanel.com\/resources\/","name":"","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/certpanel.com\/resources\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/pages\/1160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/comments?post=1160"}],"version-history":[{"count":10,"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/pages\/1160\/revisions"}],"predecessor-version":[{"id":1826,"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/pages\/1160\/revisions\/1826"}],"up":[{"embeddable":true,"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/pages\/1153"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/media\/1825"}],"wp:attachment":[{"href":"https:\/\/certpanel.com\/resources\/wp-json\/wp\/v2\/media?parent=1160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}