Unsure about HSTS preload: submit or not, and how do I get out again?
HSTS preload pins your domain into the hardcoded list of Chrome, Firefox, Safari, Edge. No browser will ever do HTTP for your domain again. Strong for security, but exiting can take months. Only submit after everything is 100 percent HTTPS, including all subdomains.
Try this first
- 1Prerequisites: all subdomains on HTTPS, server sends HSTS header with max-age 31536000 (1 year) plus includeSubDomains plus preload.
- 2Test at hstspreload.org whether you qualify. If the check fails, fix it first, submit after.
- 3Submit at hstspreload.org. It takes weeks to months until it ships in browser releases.
- 4Realize that removal via the removal procedure takes the same months. A misconfigured subdomain stuck on HTTP locks that domain out for customers.
- 5For SMB: a server-side HSTS header is usually enough, preload is for those who want 100 percent browser certainty.
When to bring us in
If you want to submit preload and want to be sure all paths are ready, we can run a pre-check that flags red flags before submission.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.