How to check if a web page supports or uses http strict transport security (HSTS)

Who I am
Shane Conder
@shaneconder
Author and references

What is HSTS?

While in home connections we have WEP, WPA, WPA2 and WPA3 WiFi security, on websites it is HSTS. HSTS refers to a policy designed specifically for website security. The principle is that of create a defensive barrier to prevent fraudulent attacks. The goal is that communications, cookies and other factors are impenetrable.

The operation of HSTS is somewhat complicated however, in short, when the security of the connection is compromised an error message appears. This error message makes it impossible to access the site.



Undoubtedly, this system has proven effective in preventing some attacks that were common in the past, such as those that try to track a computer by its IP address and that have seriously compromise the security of users. That said, a website with HSTS security has a defensive barrier that others don't.

However, how do we know if a website supports HSTS? The truth is, there are several ways to check if a website supports HSTS. In this case, it is best to use certain platforms or web applications that will work for this purpose.

Check if the webpage supports HSTS with hstspreload

Perhaps the easiest way to check if a web page supports the HSTS protocol is to use the website hstspreload. This site has a very simple operation, in fact, we only have to provide that website that we have to check. However, if you have any doubts (understand that the site is in English). Please read the following information carefully.

  • Just go to the hstspreload website, once here you will see a space for the text (just under «Enter a domain»). In this space write the website you want to check.
  • Once you have entered that website correctly, simply click on the button "Check the status and eligibility of the HSTS preload". By doing the above, the result will be displayed.
  • If you see Status: "your website" is currently preloaded, that means has HSTS. If you see the result Status: “your website” is not preloaded, it means that the page does not support HSTS.



In addition to the above, seeing the SSL certificate in the Google Chrome browser helps verify the operation of other protocols, which is good to know if you have questions about a website.


What is the use of checking that a website supports HSTS?

Not all websites support HSTS, which is why concern arises as to what the purpose of HSTS is. As we pointed out earlier, HSTS refers to a security policy, through which it tries to protect users from cyber attacks.

That said, the main reason it is relevant for a website to support HSTS is because in general terms it is safer for users. In any case, there is no need to be alarmed if a website does not have this functionality.


In fact, mainly large websites, such as Facebook, are the ones that have this protocol. Pages with less coverage usually they don't have HSTS and therefore it does not mean that they are dangerous places.

add a comment of How to check if a web page supports or uses http strict transport security (HSTS)
Comment sent successfully! We will review it in the next few hours.