Security Headers & HSTS Checker
Check a site's HTTP security headers over HTTPS — including HSTS and whether it qualifies for the browser preload list.
We connect over HTTPS on port 443 to publicly reachable hosts only.
Headers drift, just like certificates
An HSTS header dropped during a deployment is invisible until something breaks. CertControl tracks security headers alongside your TLS configuration on every scan, across every endpoint.
Monitor it continuously →The security headers we check
HSTS, the most security-critical of the HTTP security headers, forces browsers onto HTTPS and, with a long max-age plus includeSubDomains and preload, qualifies a domain for the browser preload list. CSP limits where content can load from, X-Frame-Options blocks clickjacking, X-Content-Type-Options stops MIME sniffing, and Referrer-Policy and Permissions-Policy control referrer leakage and browser feature access.
What is HSTS preload eligibility?
To qualify for the browsers' built-in HSTS preload list, a site must send Strict-Transport-Security with a max-age of at least one year, plus includeSubDomains and the preload directive, over a valid certificate. This checker tells you whether the header meets all of those conditions.
Do these headers affect my SSL grade?
HSTS does. Under the SSL Labs methodology our SSL test follows, an otherwise perfect server that does not send an HSTS header is capped at A-. The other headers here harden the site against clickjacking, MIME sniffing and content injection but are scored separately.
Why check over HTTPS only?
Headers like HSTS are only meaningful on a TLS connection, and browsers ignore an HSTS header served over plain HTTP. The checker connects on port 443 to reflect what a real browser sees.