Security headers · Check
HSTS preload-eligible but not on the list — submitting at hstspreload.org
Your `Strict-Transport-Security` header satisfies the Chromium preload submission requirements (max-age ≥ 1 year, includeSubDomains, preload), but the hstspreload.org API reports the domain as not preloaded. Submitting closes the bootstrap window — the brief moment when a browser hasn't yet seen your HSTS header and could still send the very first request over plaintext HTTP.
Why it matters
Submission is free and takes one form at hstspreload.org. Once Chromium accepts the entry, the browser refuses HTTP for your domain even on the very first visit, and downstream browsers (Edge, Firefox, Safari) inherit the list.
Real-world risk
Without preload, the browser's first request to your domain may travel over plaintext HTTP before the HSTS header is observed — a one-time window an attacker on a hostile network can exploit to intercept the initial response and never let HTTPS take over.
Fix steps (in order)
- Visit https://hstspreload.org/?domain=YOURDOMAIN and follow the submission flow.
- The form will re-verify your HSTS header automatically; if anything has drifted (max-age too low, missing preload directive), fix the header first.
- Submission acceptance takes a few weeks as new Chromium releases roll out; downstream browsers (Edge, Firefox, Safari) pick up the list afterwards.
- Once preloaded, every supported browser refuses HTTP for your domain even on the first visit.
Topic explainer
What is HSTS? HTTP Strict Transport Security explained →
How HSTS works, why the bootstrap window matters, what max-age and includeSubDomains do, and when (or whether) to submit your domain to the browser preload list.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (hsts_preload_eligible_not_listed) clears once the externally-observable signal is in place.