HTTP Strict Transport Security Test

Our easy-to-use HSTS tool checks whether HTTP Strict Transport Security is enabled on your website, improving security and providing peace of mind.

Input Your Domain to test HTTP Strict Transport Security online

Codezi.pro is a free tool that allows users to check whether HTTP Strict Transport Security (HSTS) is enabled on their website. It is an easy-to-use tool that requires no installation or coding knowledge.

To use the tool, simply navigate to the Codezi.pro website and enter your website's URL into the text field provided. Then click the "Check HSTS" button to initiate the check.

The tool will then perform a series of checks to determine whether HSTS is enabled on your website. It will check for the presence of the "Strict-Transport-Security" header in the response headers, and it will also tell you the maximum age of the HSTS policy, whether the policy includes subdomains, and whether the website is included in the HSTS preload list.

If HSTS is not enabled on your website, the tool will provide recommendations on how to enable it. This can help improve the security of your website and protect your users from potential security threats.

What is HTTP Strict Transport Security?

HTTP Strict Transport Security, or HSTS, is a security policy mechanism that instructs a user's browser to only connect to a website via a secure HTTPS connection. When a website enables HSTS, it includes an HTTP response header in every response that it sends to the user's browser. This header instructs the browser to only access the website via HTTPS for a specified amount of time.

HSTS is designed to protect websites from certain types of attacks, such as MITM attacks, which can occur when an attacker intercepts the communication between the user's browser and the website. With HSTS enabled, even if an attacker intercepts the communication, they will not be able to force the user's browser to use an insecure HTTP connection.

How does HTTP Strict Transport Security work?

When a user's browser connects to a website that has HSTS enabled, the website responds with an HTTP response header that includes the Strict-Transport-Security directive. This header specifies the maximum amount of time that the browser should only access the website via HTTPS. For example, the header could be:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This header instructs the browser to only connect to the website via HTTPS for a maximum of one year (31,536,000 seconds). The includeSubDomains directive tells the browser to apply the same policy to all subdomains of the website, and the preload directive indicates that the website should be included in the HSTS preload list maintained by web browsers.

Once the user's browser receives this header, it will remember the HSTS policy for the specified amount of time, and will only connect to the website via HTTPS during that time. If the user tries to connect to the website via an insecure HTTP connection, the browser will automatically redirect them to the secure HTTPS connection.

How to implement HTTP Strict Transport Security on your website

Enabling HSTS on your website is relatively straightforward. Here are the basic steps:

Ensure that your website is accessible via HTTPS. This means that you need to have an SSL/TLS certificate installed and configured correctly.

Add the Strict-Transport-Security header to every HTTP response that your website sends. You can do this in several ways, depending on your web server and the programming language that you are using.

For example, if you are using Apache, you can add the following line to your website's .htaccess file:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

If you are using PHP, you can add the following code to the beginning of your PHP script:

header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');

Test your website to make sure that HSTS is working correctly. You can use an online HSTS test tool to check if your website's HSTS policy is being correctly enforced.

Consider submitting your website to the HSTS preload list. This will ensure that your website is included in the list of websites that browsers will always connect to via HTTPS, even for the first visit. 

How to check HTTP Strict Transport Security (HSTS) is enabled on your website?

To check if HTTP Strict Transport Security (HSTS) is enabled on your website, you can follow these steps:

  1. Open your web browser and navigate to your website.

  2. Open the developer tools for your browser. This can typically be done by right-clicking on the webpage and selecting "Inspect" or "Inspect Element".

  3. In the developer tools, navigate to the "Network" tab.

  4. Reload the webpage.

  5. Look for the first response from your website in the list of network requests. This should be the HTML response for your website.

  6. Click on the response to view the headers.

  7. Look for the "Strict-Transport-Security" header. If the header is present, then HSTS is enabled on your website.

Alternatively, you can use an online HSTS test tool to check if HSTS is enabled on your website. Simply enter your website's URL into the tool, and it will check if the "Strict-Transport-Security" header is present in the response headers. It will also tell you the maximum age of the HSTS policy, whether the policy includes subdomains, and whether the website is included in the HSTS preload list.