Home / Tools / Submit your domain to the HSTS preload list
Transport Security · Scan Check Guide

Submit your domain to the HSTS preload list

20 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

HSTS preload is a step beyond a normal HSTS header — it gets your domain baked directly into Chrome, Firefox, and Safari's source code as "always HTTPS," so even a user's very first visit is protected, before any header could even be read.

A regular HSTS header still has a gap: the very first visit before the browser has seen it. The HSTS preload list closes that gap completely by baking your domain into the browser itself — Chrome, Firefox, and Safari all ship with it built in.

How to fix it

  1. 1
    Confirm your HSTS header meets the preload bar
    You need Strict-Transport-Security with max-age of at least 31536000 (1 year), includeSubDomains, and preload all present.
  2. 2
    Verify every subdomain is actually HTTPS-ready
    includeSubDomains means ALL subdomains must support HTTPS — check any staging, mail, or legacy subdomains before submitting.
  3. 3
    Submit your domain
    Go to hstspreload.org, enter your domain, and follow the eligibility check.
  4. 4
    Wait for inclusion
    Preload list updates ship with new browser releases — expect a few weeks, not instant.

Common mistakes

How you'll know it's done

Your domain is accepted at hstspreload.org and appears in the Chromium preload list source.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →