Developer Tools

HSTS Header Generator

Build and parse the HTTP Strict-Transport-Security header. max-age presets, preload list checklist, and snippets for Nginx, Apache, Caddy, IIS, and Next.js.

Rollout scenarios

Pick a starting point. Adjust max-age and the toggles below to fine-tune.

Directives

max-age (seconds)2 years

How long the browser should remember this policy. 0 deletes the prior policy for this exact host.

Common max-age values

Tap a duration to load it. Browsers always work in seconds, so converting in your head is what makes HSTS frustrating.

Generated header

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Preload list eligibility

The four requirements that hstspreload.org checks before accepting a submission. The fourth is server-side and cannot be verified from a header alone.

max-age >= 31,536,000 (1 year)
hstspreload.org requires at least one year. Two years is recommended.
includeSubDomains is present
All subdomains must serve over HTTPS for the parent domain to be preloaded.
preload token is present
The literal token signals consent to be added to the preload list.
Site is served over HTTPS on every host
This cannot be checked here. Every redirect on the base domain and every subdomain must be HTTPS.

Server snippets

Drop into your server config or platform headers file. Adjust the path or matcher to fit your routing.

Nginx

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Apache (.htaccess or httpd.conf)

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Caddy (Caddyfile)

header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

IIS (web.config)

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains; preload" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Express / Node (res.setHeader)

app.use((req, res, next) => {
  res.setHeader("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
  next();
});

Cloudflare Worker

addEventListener("fetch", (event) => {
  event.respondWith(handle(event.request));
});

async function handle(request) {
  const response = await fetch(request);
  const headers = new Headers(response.headers);
  headers.set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers,
  });
}

Vercel (vercel.json)

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" }
      ]
    }
  ]
}

Netlify (_headers)

/*
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Next.js (next.config.js)

module.exports = {
  async headers() {
    return [
      {
        source: "/(.*)",
        headers: [
          {
            key: "Strict-Transport-Security",
            value: "max-age=63072000; includeSubDomains; preload",
          },
        ],
      },
    ];
  },
};

Quick reference

max-age

Seconds the browser remembers the HTTPS-only rule. Required. 0 deletes the prior policy.

includeSubDomains

Applies the policy to every subdomain. Required for hstspreload.org. The directive takes no value.

preload

Marks the header as eligible for the Chromium preload list (used by all major browsers). Submission is manual.

HTTP delivery

HSTS is ignored on plain HTTP responses. Only HTTPS responses can set or refresh the policy.

Why preload

Without preload, the very first visit to a host is plaintext until HSTS is cached. Preloading hardcodes the rule into the browser.

Removing preload

Preload removal can take months across all browsers. Set max-age first, validate, then submit only when you mean it.

How to use

Pick a rollout scenario (Testing, Soft rollout, Production, Preload-ready, Remove HSTS) or set max-age, includeSubDomains, and preload by hand.
Use the Common max-age values panel to load 5 minutes through 2 years without converting durations to seconds in your head. The live label next to the field shows the human-readable duration.
Read the Generated header card. Warnings appear for risky combinations: preload without includeSubDomains, preload below the 1 year max-age threshold, max-age=0, or max-age below one hour.
Check the Preload list eligibility panel before submitting to hstspreload.org. Three of the four requirements are header-only; the fourth (HTTPS coverage on every subdomain) is server-side and cannot be verified from a header alone.
Copy the header value or one of the server snippets (Nginx, Apache, Caddy, IIS web.config, Express, Cloudflare Worker, Vercel, Netlify _headers, Next.js next.config.js) and paste it into your server config or platform headers file.
Switch to Parse mode to inspect an existing header. Paste a value from curl -I, the browser DevTools Network panel, or your config; the tool humanizes max-age and reports preload eligibility for the parsed policy.

About this tool

HSTS Header Generator builds and parses the HTTP Strict-Transport-Security response header defined by RFC 6797. The header tells the browser to upgrade every future request to a host (and optionally every subdomain) from plain HTTP to HTTPS for a chosen number of seconds, even when the user types http:// or clicks a plaintext link. Once the policy is cached, the browser refuses to send plaintext requests to that host until the policy expires; if the directive includeSubDomains is present, the rule extends to every subdomain. The Build mode lets you set max-age in seconds with humanized labels (5 minutes for a smoke test, 1 hour, 1 day, 1 week, 1 month, 6 months, 1 year for the hstspreload.org minimum, 2 years for the recommended value), toggle includeSubDomains and preload, and copy a clean header value or one of nine ready-to-paste server snippets: Nginx add_header, Apache .htaccess Header always set, the Caddyfile header directive, IIS web.config customHeaders, an Express middleware that calls res.setHeader, a Cloudflare Worker that overrides the response, vercel.json headers, the Netlify _headers file, and a next.config.js headers() entry. Five rollout scenarios cover the common starting points: a 5 minute test, a 1 week soft rollout, a 1 year production policy without preload, a 2 year preload-ready policy, and a max-age=0 removal header. A live preload list checklist tracks the four hstspreload.org submission requirements (max-age at least one year, includeSubDomains, the preload token itself, and full HTTPS coverage on the base domain and every subdomain) and explains which of them this header alone satisfies. The Parse mode accepts any HSTS header value (or the full line with the prefix), splits it into directives, humanizes max-age in years and months and days, summarizes the effective policy across browser caching, subdomain coverage, and preload eligibility, and flags common foot-guns: max-age=0 silently removes the policy, max-age below one hour is too short to be useful, preload without includeSubDomains is rejected by the preload service, preload below the one year max-age threshold will fail submission, duplicate directives, unknown tokens, malformed numeric values, and values supplied to flag-only directives. Useful for setting up a fresh HTTPS rollout, hardening an existing site, reviewing a header pasted from curl -I or DevTools, preparing a domain for hstspreload.org submission, debugging an unexpected redirect loop on a legacy host, or removing a stale policy from staging environments. Everything runs locally in your browser; the header values you paste here never leave your device.

Free to use. Works in your browser. No signup, no login.

Related tools

HSTS Header Generator

How to use

About this tool

You may also like

CSP Header Generator

CORS Headers Generator

Cache-Control Header Builder

Permissions-Policy Generator

Set-Cookie Builder

Robots Meta Tag Generator