HSTS header builder
ClientBuild a Strict-Transport-Security response header with max-age and optional includeSubDomains / preload flags—copy into your HTTPS origin configuration.
About HSTS header builder
Draft Strict-Transport-Security with max-age, includeSubDomains, and optional preload—local only. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Draft an HSTS header for HTTPS sites—only enable preload after you understand the preload list requirements. Pair with HTTP headers.
Nearby workflows on Toolcore
- HTTP headers — Common request and response header fields—names, direction, and short summaries—filterable client-side. before you trust a token, digest, or key material in production.
- Referrer-Policy builder — Pick a Referrer-Policy value and copy the HTTP header—control referrer leakage locally. before you trust a token, digest, or key material in production.
- CSP header builder — Build a Content-Security-Policy header from directive fields—copy for nginx, Express, or CDN configs locally. before you trust a token, digest, or key material in production.
- URL parser — Split URLs into protocol, host, path, query, and hash—browser URL API; optional https:// assumption; no fetch. before you trust a token, digest, or key material in production.
Common use cases
- Set max-age and includeSubDomains before editing nginx or load balancer TLS config.
- Compare one-year vs two-year max-age when planning HSTS preload submission.
- Pair with HTTP header reference pages during security reviews.
Common mistakes to avoid
Enabling preload on HTTP-only hosts
Browsers ignore HSTS on plain HTTP—serve valid HTTPS everywhere first.
Short max-age during migration
Use a small max-age while testing, then raise it once HTTPS is stable.
FAQ
What is HSTS preload?
Optional browser preload lists ship a hardcoded HTTPS-only rule. Only enable preload after all subdomains serve HTTPS.
Is my domain submitted automatically?
No. This page only drafts the header text—you submit to preload programs separately.
Common search terms
Phrases people search for that match this tool. See the full long-tail keyword index.
- hsts header generator online
- strict transport security max age
- hsts preload header builder
- include subdomains hsts copy
More tools
Related utilities you can open in another tab—mostly client-side.
HTTP headers
ClientCommon request and response header fields—names, direction, and short summaries—filterable client-side.
Referrer-Policy builder
ClientPick a Referrer-Policy value and copy the HTTP header—control referrer leakage locally.
CSP header builder
ClientBuild a Content-Security-Policy header from directive fields—copy for nginx, Express, or CDN configs locally.
URL parser
ClientSplit URLs into protocol, host, path, query, and hash—browser URL API; optional https:// assumption; no fetch.