Fix HSTS Preload Directive Configuration
In this tutorial, you'll learn about Fix HSTS Preload Directive Configuration. We cover key concepts, practical examples, and best practices.
The preload directive tells browsers to include your domain in their hardcoded HSTS preload lists. Once submitted and accepted, browsers will never connect to your domain over HTTP, even on the very first visit. This is the strongest form of HTTPS enforcement, but misconfiguration can cause permanent lockout.
Wrong
HSTS preload is configured without meeting the requirements.
Strict-Transport-Security: max-age=31536000; preload
But includeSubDomains is missing:
Strict-Transport-Security: max-age=31536000; preload
The preload submission to https://hstspreload.org is rejected with:
Status: Preload submission rejected
Reason: Missing includeSubDomains directive
Another common mistake is using preload with a max-age below 31536000:
Strict-Transport-Security: max-age=86400; includeSubDomains; preload
The submission is rejected because max-age must be at least 1 year (31536000 seconds).
Right
Configure all three required directives and submit to the preload list.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
Express with helmet:
app.use(helmet.hsts({
maxAge: 31536000,
includeSubDomains: true,
preload: true,
}));
After deploying the header, submit the domain at https://hstspreload.org:
curl -I https://example.com | grep Strict-Transport-Security
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
The preload check verifies all requirements:
- HTTPS redirect from HTTP
- HSTS header on the root domain
max-ageat least 31536000includeSubDomainspresentpreloaddirective present
Prevention
- Deploy HSTS with
includeSubDomainsandmax-age=31536000before addingpreload. - Verify the header is present on the root domain using
curl -I https://example.com. - Test all subdomains ensure they support HTTPS before submitting for preload.
- Understand that preload removal is very difficult once accepted. Some browsers require years to remove a domain.
- Use the preload submission status page to check if your domain is already preloaded.
- Submit the domain to
https://hstspreload.orgonly after you are fully committed to permanent HTTPS.
DodaTech Tools
Doda Browser ships with the HSTS preload list, enforcing HTTPS for preloaded domains before any connection attempt. DodaZIP's SSL audit tool checks whether domains are on the preload list and validates the HSTS configuration. Durga Antivirus Pro domains were submitted to the preload list in 2022 and have enforced HTTPS-only connections ever since.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro