HomeFix guides → HSTS preload eligibility

security

How to fix: HSTS preload eligibility

OWASP A02 NIS2 Art. 21(2)(a)

Why this matters

Preloading puts your domain on a list compiled into Chrome, Firefox, and Safari, so HTTPS is enforced even on the very first visit from a fresh device.

Background

Submitting to the HSTS preload list closes the first-contact gap — the browser already knows to refuse plain HTTP for your domain on the very first request, before it ever sees your HSTS header. Requires max-age ≥ 31536000, includeSubDomains, and preload directive plus all subdomains being HTTPS-only. Once you submit, removal takes weeks-to-months — only opt in once you're certain.

References

https://hstspreload.org · Chromium/Mozilla browser preload list

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Same header as security.hsts but ensure all subdomains have HTTPS first.
apache
As above.
cloudflare
After enabling HSTS in Edge Certificates, click 'Submit to HSTS Preload List' (links to hstspreload.org).
wordpress
Confirm all subdomains (www, blog, shop, …) are HTTPS-only first; submit via hstspreload.org.
flask
After Flask-Talisman is set with preload=True, submit your apex via hstspreload.org.
express
helmet.strictTransportSecurity({ preload: true }) — then submit at hstspreload.org.
rails
config.force_ssl with the preload option = true; submit at hstspreload.org.

Verify it's working

https://hstspreload.org/?domain=your-domain.com — green status means submitted + propagated.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →