methodology / Security & Infrastructure / #26

HSTS preload list inclusion

live factor #26 · Security & Infrastructure · scoring impl: implemented · weight 0.7%

What we measure

When your domain is on the HSTS preload list, browsers refuse to ever connect over HTTP — eliminating downgrade attacks entirely. The strongest possible HTTPS guarantee.

How to improve your score

Set `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`, then submit at hstspreload.org.

Data source

Data source for this factor is not yet documented.

Scoring

Scoring formulas are versioned with the methodology. The current method (v1.1.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.

Version history

← back to methodology