Does your site tell browsers and crawlers to always use the secure HTTPS version?
An HSTS header locks browsers and crawlers onto HTTPS, preventing silent downgrades that fragment your AI visibility.
What this signal tests
We check whether your site sends the Strict-Transport-Security (HSTS) header on its HTTPS responses, and whether the duration declared is at least six months. HSTS is the mechanism that promises browsers and crawlers your site will always be available over HTTPS, so they should never fall back to the insecure HTTP version, even if a link or redirect tries to send them there.
Why it matters for your visibility in AI
Without HSTS, an attacker on a public network can silently downgrade visitors and crawlers to the insecure HTTP version of your site, stealing data or injecting content. From an AI visibility angle, the same risk creates a more subtle problem: AI crawlers occasionally encounter the HTTP variant and treat it as a separate URL, fragmenting your canonical signal and reducing the consolidated authority of the HTTPS page. A six-month-or-longer HSTS header eliminates this entire class of problem. Once a crawler or browser sees the header, it never tries HTTP for your domain again until the period expires. This is a single one-line change with strong security and consolidation benefits, but most small business sites still do not have it set.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| Header present, max-age>=15552000. |
How we test it
We make a single HTTPS request to your homepage and read the Strict-Transport-Security header returned in the response. We confirm the header is present, that it includes a max-age value, and that the value is at least 15,552,000 seconds (180 days). Longer is fine; shorter is flagged. We also note whether the header includes the includeSubDomains and preload options, which are best practice but not required to pass.
Show technical detection method
HEAD/GET https://{host}/; parse Strict-Transport-Security; require max-age>=15552000.
If your site fails: how to fix it
- Confirm your entire site already runs cleanly on HTTPS, including all subdomains you intend to cover. HSTS becomes hard to undo once enabled, so verify HTTPS works everywhere first.
- Add the Strict-Transport-Security response header at your web server or CDN. A safe starting value is max-age=31536000; includeSubDomains, which sets a one-year window across all subdomains.
- If you use a CDN like Cloudflare, the dashboard usually has a single toggle to enable HSTS with sensible defaults - that is the easiest path for non-technical owners.
- Once stable for a few weeks, consider adding the preload directive and submitting your domain to the HSTS preload list at hstspreload.org. This bakes the policy into browsers themselves for maximum protection.
- Re-run the AI Ready Test to confirm the header is now present with a sufficient max-age.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | medium |
| Category | Crawlability |
Primary sources
Related signals
Frequently asked questions
What is the risk of enabling HSTS?
Once enabled, browsers and crawlers will refuse to load your site over plain HTTP for the declared duration. If you then break HTTPS - for example, a certificate expires and your fallback was HTTP - visitors cannot reach the site at all. Always verify HTTPS is fully reliable before enabling HSTS.
Should I include subdomains?
Generally yes, but only if every subdomain (including ones used by third-party integrations) supports HTTPS. Otherwise the includeSubDomains directive will break those subdomains. List your subdomains and check each one before turning this option on.
What is preloading and do I need it?
Preloading adds your domain to a list baked into Chrome, Firefox, Safari, and Edge, so they enforce HTTPS for your domain even before they have ever visited it. It is the gold standard for security but requires meeting strict criteria and is hard to undo. Optional for most sites.
How long should max-age be?
We require a minimum of 180 days. The widely recommended value is one year (31,536,000 seconds), and the preload list requires at least two years. Longer values are stronger but only marginally so - one year is the practical sweet spot for most businesses.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.