security
How to fix: HSTS preload eligibility
OWASP A02
NIS2 Art. 21(2)(a)
Why this matters
Preloading puts your domain on a list compiled into Chrome, Firefox, and Safari, so HTTPS is enforced even on the very first visit from a fresh device.
Background
Submitting to the HSTS preload list closes the first-contact gap — the browser already knows to refuse plain HTTP for your domain on the very first request, before it ever sees your HSTS header. Requires max-age ≥ 31536000, includeSubDomains, and preload directive plus all subdomains being HTTPS-only. Once you submit, removal takes weeks-to-months — only opt in once you're certain.
References
https://hstspreload.org · Chromium/Mozilla browser preload list
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
Same header as security.hsts but ensure all subdomains have HTTPS first.
apache
As above.
cloudflare
After enabling HSTS in Edge Certificates, click 'Submit to HSTS Preload List' (links to hstspreload.org).
wordpress
Confirm all subdomains (www, blog, shop, …) are HTTPS-only first; submit via hstspreload.org.
flask
After Flask-Talisman is set with preload=True, submit your apex via hstspreload.org.
express
helmet.strictTransportSecurity({ preload: true }) — then submit at hstspreload.org.
rails
config.force_ssl with the preload option = true; submit at hstspreload.org.
Verify it's working
https://hstspreload.org/?domain=your-domain.com — green status means submitted + propagated.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →