Skip to content

Fix HSTS Preload Directive Configuration

DodaTech Updated 2026-06-26 2 min read

In this tutorial, you'll learn about Fix HSTS Preload Directive Configuration. We cover key concepts, practical examples, and best practices.

The preload directive tells browsers to include your domain in their hardcoded HSTS preload lists. Once submitted and accepted, browsers will never connect to your domain over HTTP, even on the very first visit. This is the strongest form of HTTPS enforcement, but misconfiguration can cause permanent lockout.

Wrong

HSTS preload is configured without meeting the requirements.

Strict-Transport-Security: max-age=31536000; preload

But includeSubDomains is missing:

Strict-Transport-Security: max-age=31536000; preload

The preload submission to https://hstspreload.org is rejected with:

Status: Preload submission rejected
Reason: Missing includeSubDomains directive

Another common mistake is using preload with a max-age below 31536000:

Strict-Transport-Security: max-age=86400; includeSubDomains; preload

The submission is rejected because max-age must be at least 1 year (31536000 seconds).

Configure all three required directives and submit to the preload list.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Express with helmet:

app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true,
  preload: true,
}));

After deploying the header, submit the domain at https://hstspreload.org:

curl -I https://example.com | grep Strict-Transport-Security
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The preload check verifies all requirements:

  • HTTPS redirect from HTTP
  • HSTS header on the root domain
  • max-age at least 31536000
  • includeSubDomains present
  • preload directive present

Prevention

  • Deploy HSTS with includeSubDomains and max-age=31536000 before adding preload.
  • Verify the header is present on the root domain using curl -I https://example.com.
  • Test all subdomains ensure they support HTTPS before submitting for preload.
  • Understand that preload removal is very difficult once accepted. Some browsers require years to remove a domain.
  • Use the preload submission status page to check if your domain is already preloaded.
  • Submit the domain to https://hstspreload.org only after you are fully committed to permanent HTTPS.

DodaTech Tools

Doda Browser ships with the HSTS preload list, enforcing HTTPS for preloaded domains before any connection attempt. DodaZIP's SSL audit tool checks whether domains are on the preload list and validates the HSTS configuration. Durga Antivirus Pro domains were submitted to the preload list in 2022 and have enforced HTTPS-only connections ever since.

FAQ

### What are the requirements for HSTS preload submission?

The requirements are: a valid HTTPS certificate on the root domain, HTTP to HTTPS redirect on port 80, Strict-Transport-Security header with max-age=31536000 (at least), includeSubDomains, and preload directives. The root domain must serve the HSTS header on HTTPS responses. Submit at https://hstspreload.org.

Can I remove my domain from the HSTS preload list?

Removal is possible but takes months or years depending on the browser. Chrome requires a removal request and the domain must serve max-age=0 for the duration of the previous max-age. During this period, the domain is effectively locked into HTTPS. Consider this a permanent commitment.

What happens when a domain is in the preload list?

Browsers will ALWAYS connect to the domain over HTTPS, even if the user types http:// or clicks an HTTP link. The browser refuses to send any HTTP request. This protects against the very first connection, which is the most vulnerable to SSL stripping attacks. Preload is the ultimate protection against downgrade attacks.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro