How to Use

Enter a domain name (without http:// or https://) and click "Analyze". The tool performs a series of live tests to check your site's overall HTTPS health.

Understanding the Tests

Redirect Check: This test verifies that a request to the insecure `http://` version of your site successfully ends up at the secure `https://` version. A failure here is a critical security risk.

HSTS Preload Readiness: HSTS (HTTP Strict Transport Security) is a header that tells browsers to *only* use HTTPS for your site. The HSTS Preload List is a list of sites built into browsers that are hardcoded to be HTTPS-only. This test checks if your HSTS header meets the strict submission criteria.

Mixed Content Scan: This test scans the final page's HTML for insecure `http://` links to assets like images or scripts. Mixed content can cause security warnings in browsers and break your site's lock icon.

FAQ

What is mixed content?
Mixed content occurs when an HTTPS page loads resources (like images, scripts, or stylesheets) over an insecure HTTP connection. Modern browsers will block this content or show a security warning, breaking your site's functionality and trust.

What are the risks of not having HSTS?
Without HSTS, an attacker on the same network (e.g., public Wi-Fi) could intercept the initial HTTP request and prevent the redirect to HTTPS, performing a "man-in-the-middle" attack.

Should I submit my site to the HSTS preload list?
Yes, if you are confident that your entire site and all its subdomains can be served over HTTPS permanently. Once on the list, it is very difficult to be removed, so you must be prepared to maintain HTTPS across all subdomains.