Security headers · Check
HSTS preload header drift — keeping enrollment compatible
The hstspreload.org API reports your domain as currently preloaded, but the HSTS header you serve no longer satisfies preload requirements (max-age ≥ 1 year, includeSubDomains, preload). Browsers ship preload entries from periodic snapshots; once your enrollment is reviewed for renewal — or you submit a removal request — the mismatched header can cause removal from the list.
Why it matters
Restore a preload-compatible HSTS header so your enrollment stays valid through future browser refreshes. If the change was intentional (you're rolling back HSTS), submit a removal request via hstspreload.org so the entry is dropped cleanly.
Real-world risk
Browsers ship preload entries from periodic snapshots, so a mismatched header doesn't immediately remove your protection — but it puts your enrollment at risk on the next review and signals that something has changed in your TLS deployment.
Fix steps (in order)
- Verify the current Strict-Transport-Security header on your homepage: it should include max-age=31536000 (or higher), includeSubDomains, and preload.
- If the change was unintentional, restore the preload-compatible header at the layer that terminates TLS (CDN, load balancer, origin).
- If the change was intentional (you're rolling back HSTS for a real reason), submit a removal request at https://hstspreload.org/removal/ so the entry is dropped cleanly.
- Re-check the API after deploying the fix: curl -s https://hstspreload.org/api/v2/status?domain=YOURDOMAIN
Topic explainer
What is HSTS? HTTP Strict Transport Security explained →
How HSTS works, why the bootstrap window matters, what max-age and includeSubDomains do, and when (or whether) to submit your domain to the browser preload list.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (hsts_preload_listed_header_drift) clears once the externally-observable signal is in place.