A

Trust

LOW

HSTS policy carries the preload directive

The Strict-Transport-Security header on the homepage includes the `preload` directive. HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.

What this check looks for

Browser HSTS preload lists (managed at hstspreload.org and shipped in Chrome / Firefox / Safari / Edge) bake the HSTS policy into the browser binary so the very first visit can never be downgraded to HTTP. The `preload` directive on the STS header signals operator consent for inclusion. Submission requires `max-age` ≥ 31536000 (1 year) plus the `includeSubDomains` and `preload` tokens; the directive itself is a vendor extension not normatively defined by RFC 6797. This check returns na when HSTS is not present so merchants fix the prerequisite first.

Which AI surfaces it affects

  • Google AI Mode (UCP)50
  • ChatGPT (ACP)50
  • Perplexity40
  • Microsoft Copilot40
  • Meta AI30

Weighted against the live specs — ACP 2026-04-17, UCP 2026-04-08.

How to fix it

Add `preload` to your Strict-Transport-Security header and submit to hstspreload.org

Shopify

One click
  1. Shopify ships HSTS with `preload` on its managed domains. If you're on a custom domain, your domain may need to be submitted to hstspreload.org separately.
  2. Check current status: https://hstspreload.org/?domain=yourdomain.com

Platform docs ↗

BigCommerce

Developer
  1. BigCommerce's CDN-fronted SSL ships HSTS with preload on its managed domains.
  2. For custom domains, you may need to configure the preload directive at the CDN layer and submit to hstspreload.org.

Platform docs ↗

WooCommerce

Developer
  1. Edit your server config (`.htaccess` or nginx server block) to set the STS header to `max-age=31536000; includeSubDomains; preload`.
  2. Confirm all subdomains support HTTPS, then submit at https://hstspreload.org/.

Platform docs ↗

Custom / headless

Developer
  1. Confirm every subdomain you operate supports HTTPS-only.
  2. Set the Strict-Transport-Security header to `max-age=31536000; includeSubDomains; preload` on every HTTPS response (1-year max-age is the preload-list minimum).
  3. Submit your apex domain at https://hstspreload.org/ once the header has been live for at least a few days.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Platform docs ↗

The spec it's pinned to

  • RFC 6797 — HSTS `preload` directive (vendor extension)

    The `preload` token signals operator consent for inclusion in the browser HSTS preload list (hstspreload.org). Inclusion bakes HSTS into the browser binary so first-time visits can never be downgraded.

HSTS preload list submission (hstspreload.org)

Does your store pass this check?

Run the full audit — 82 checks across five AI shopping surfaces. Most tools only check whether you get mentioned; we check whether an agent can buy from you.

Related trust checks

← All 82 checks