HSTS preload flag configured

Why it matters

HSTS preload eliminates the first-visit vulnerability — the one TCP request a browser makes over HTTP before it receives the HSTS header and commits to HTTPS. Without preload, a user who has never visited your site before (or who cleared browser storage) is vulnerable to SSL stripping on that first connection. CWE-311 and CWE-319 apply — the initial plaintext request exposes cookies, tokens, and session data to network-level interception before HSTS takes effect. OWASP A02 (Cryptographic Failures) identifies first-visit HTTP exposure as a transport security gap that preloading permanently eliminates.

Remediation

Add all three required HSTS directives for preload eligibility. Preloading is irreversible on short timescales — only proceed if HTTPS is permanent for your domain and every subdomain.

// next.config.js
headers: [{
  source: '/(.*)',
  headers: [{
    key: 'Strict-Transport-Security',
    value: 'max-age=31536000; includeSubDomains; preload'
  }]
}]

After configuring, submit at hstspreload.org. All three are required: max-age >= 31536000, includeSubDomains, and preload. Removing from the preload list takes months — do not add preload for staging or short-lived domains.

Detection

ID: security-headers-ii.transport-hardening.hsts-preload
Severity: medium
What to look for: Extract the complete HSTS header value. Check for the preload flag. HSTS preload makes the domain eligible for browser HSTS preload lists — built-in HTTPS enforcement with no first-visit vulnerability. Preload eligibility requires ALL three: preload flag, max-age >= 31536000, and includeSubDomains.
Pass criteria: HSTS header includes preload AND max-age >= 31536000 AND includeSubDomains — all 3 required for preload eligibility. Count the HSTS directives present, extract and quote the complete HSTS header value and report: "HSTS preload-eligible: max-age=X, includeSubDomains present, preload present."
Fail criteria: HSTS header is missing preload, or preload is present but max-age under 31536000 or includeSubDomains is missing.
Skip (N/A) when: No HSTS header configured at all.
Detail on fail: "HSTS header lacks preload flag — not eligible for browser preload lists" or "HSTS has preload but max-age=3600 — preload requires max-age >= 31536000" or "HSTS has preload but missing includeSubDomains — all three are required"
Remediation: HSTS preload eliminates the first-visit vulnerability by hardcoding your domain into browsers:
```
headers: [{
  key: 'Strict-Transport-Security',
  value: 'max-age=31536000; includeSubDomains; preload'
}]
```
Important warning: Preloading is difficult to reverse. Once your domain is in the preload list, removing it can take months. Only add preload if you are certain that HTTPS is permanent for your domain and ALL subdomains. Submit at hstspreload.org after configuring.

Why it matters

Remediation

Add all three required HSTS directives for preload eligibility. Preloading is irreversible on short timescales — only proceed if HTTPS is permanent for your domain and every subdomain.

// next.config.js
headers: [{
  source: '/(.*)',
  headers: [{
    key: 'Strict-Transport-Security',
    value: 'max-age=31536000; includeSubDomains; preload'
  }]
}]

Detection

ID: security-headers-ii.transport-hardening.hsts-preload
Severity: medium
What to look for: Extract the complete HSTS header value. Check for the preload flag. HSTS preload makes the domain eligible for browser HSTS preload lists — built-in HTTPS enforcement with no first-visit vulnerability. Preload eligibility requires ALL three: preload flag, max-age >= 31536000, and includeSubDomains.
Pass criteria: HSTS header includes preload AND max-age >= 31536000 AND includeSubDomains — all 3 required for preload eligibility. Count the HSTS directives present, extract and quote the complete HSTS header value and report: "HSTS preload-eligible: max-age=X, includeSubDomains present, preload present."
Fail criteria: HSTS header is missing preload, or preload is present but max-age under 31536000 or includeSubDomains is missing.
Skip (N/A) when: No HSTS header configured at all.
Detail on fail: "HSTS header lacks preload flag — not eligible for browser preload lists" or "HSTS has preload but max-age=3600 — preload requires max-age >= 31536000" or "HSTS has preload but missing includeSubDomains — all three are required"
Remediation: HSTS preload eliminates the first-visit vulnerability by hardcoding your domain into browsers:
```
headers: [{
  key: 'Strict-Transport-Security',
  value: 'max-age=31536000; includeSubDomains; preload'
}]
```
Important warning: Preloading is difficult to reverse. Once your domain is in the preload list, removing it can take months. Only add preload if you are certain that HTTPS is permanent for your domain and ALL subdomains. Submit at hstspreload.org after configuring.

HSTS preload flag configured

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

HSTS preload flag configured

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History