HSTS Preload

A built-in browser list of domains that must always be loaded over HTTPS, even on a user's first visit.

HSTS Preload is a curated list shipped inside Chromium, Firefox, Safari, and Edge that hardcodes HSTS for domains opted into it. Normal HSTS only protects users after their first successful HTTPS visit; preload closes that gap by making the browser refuse plaintext HTTP to a listed domain even on the very first request. To qualify, a site must serve a valid certificate on the apex, redirect HTTP to HTTPS, and serve the header `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`. Submissions are reviewed at hstspreload.org. Removal can take months, so the decision is effectively permanent.

Reference

hstspreload.org
RFC 6797

Related terms

HSTS
HTTPS
TLS Downgrade Attack
Certificate Authority

Referenced on

Choosing the Right TLD for Your Business: .com vs .io vs New gTLDs
HTTP Security Headers Analyzer & Generator
Redirect Checker

Back to the full glossary

Reference

Related terms

See also

Referenced on