HSTS preload is a step beyond a normal HSTS header — it gets your domain baked directly into Chrome, Firefox, and Safari's source code as "always HTTPS," so even a user's very first visit is protected, before any header could even be read.
A regular HSTS header still has a gap: the very first visit before the browser has seen it. The HSTS preload list closes that gap completely by baking your domain into the browser itself — Chrome, Firefox, and Safari all ship with it built in.
Your domain is accepted at hstspreload.org and appears in the Chromium preload list source.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →