Loading…
Loading…
Paste any URL you're authorized to test. Scorifya fetches the response and shows your Strict-Transport-Security header alongside the rest of your security headers, so you can see if HSTS is present and strong enough.
Free tool
HSTS (Strict-Transport-Security) is the header that tells browsers to use HTTPS only and closes the first-visit downgrade window that plain HTTPS leaves open. It is easy to get subtly wrong: a max-age that is too short, a missing includeSubDomains, or rushing preload, which is slow to undo. A checker tells you whether HSTS is present, whether it is strong enough, and whether it is preload-eligible, without reading raw headers by hand.
Paste any URL you're allowed to test. Scorifya fetches the response and reports your Strict-Transport-Security header, present or absent, with its max-age, includeSubDomains, and preload state, plus provider-neutral fixes. HSTS sits inside the broader 0 to 100 hardening score, so you also see the TLS, header, and exposure context around it.
This page is written for people searching for HSTS checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: HTTPS works, HSTS missing
TLS is healthy and the site loads over HTTPS, but no Strict-Transport-Security header is sent, so a first-visit downgrade window stays open.
Strict-Transport-Security missing
Without HSTS, a browser can still be tricked into an HTTP connection before any policy is cached, especially on the very first visit. The header is a one-line addition at your web server, reverse proxy, or framework.
No includeSubDomains coverage
Even where HSTS is set on the apex, subdomains stay unprotected until includeSubDomains is added and every subdomain is HTTPS-ready.
Example B: HSTS present but weak
Strict-Transport-Security is sent, but a short max-age and no includeSubDomains leave points on the table. Widening both pushes the score up.
HSTS max-age too short
A max-age measured in minutes or hours barely helps. Move toward six months once the site is stable on HTTPS, then a full year.
includeSubDomains not set
Add includeSubDomains once every subdomain serves HTTPS, so the policy covers the whole zone rather than just the hostname you tested.
Set HSTS at one layer
Add Strict-Transport-Security in a single place: your reverse proxy, your CDN, or your app framework. Setting it in two places risks conflicting values. Start with Strict-Transport-Security: max-age=15552000 (six months) while you confirm nothing on HTTP still needs to work.
Widen to a year with includeSubDomains once stable
After the site has been solid on HTTPS for a quarter and every subdomain is HTTPS-ready, move to max-age=31536000; includeSubDomains. This is the value most strong configurations land on.
Only add preload deliberately
The preload directive submits your domain to a list shipped inside browsers. It is powerful but slow to reverse, so add it only after a one-year max-age with includeSubDomains has been live for at least a month, then submit at hstspreload.org. See /guides/nextjs-hsts and /guides/express-hsts for framework specifics.
Make sure every subdomain is HTTPS-ready first
includeSubDomains and preload apply to the whole zone. If a single subdomain still needs HTTP (an old tool, a legacy redirect), fix or retire it before widening the policy, or you will lock yourself out of it.
Re-scan after every header change
Headers update on the very next response after a deploy or proxy change, so re-scan immediately to confirm HSTS landed with the value you expect.
For weights and penalties behind each category, see How Scorifya works.
Background explainers for what this tool checks.
HSTS stands for HTTP Strict Transport Security. It is a response header (Strict-Transport-Security) that tells browsers to only ever connect to your site over HTTPS for a set period. Once a browser has seen it, it refuses to make plain HTTP requests to your domain, which closes the window where a first visit or a typed http:// URL could be downgraded or intercepted.
Start conservative and widen. A six-month max-age (15552000 seconds) is a safe first step. Once the site has been stable on HTTPS for a quarter and every subdomain serves HTTPS, move to one year (31536000) with includeSubDomains. Only consider preload after that has been live for a while, because preload is hard to undo.
includeSubDomains extends the HTTPS-only policy to every subdomain of your domain, not just the hostname that sent the header. It is safe only once all of those subdomains are reachable over HTTPS. If one still needs HTTP, includeSubDomains will block it, so confirm full HTTPS coverage before adding it.
Yes. Checking HSTS (and running the full Scorifya scan) is free for any URL you're authorized to test. Pro adds higher rate limits, scheduled re-scans, watch lists with alerts, and exports.
It follows the redirect chain from the URL you paste and scores the final response, while flagging any HTTP hops along the way. It only fetches public, unauthenticated URLs, so test headers on authenticated routes during your own staging passes.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.