We want to apply for HSTS preload.
HSTS preload is hardcore: once on, you can't fall back to HTTP without months of browser warnings. Only enable when every subdomain is HTTPS-only.
Try this first
- 1Verify the apex, www variant and all subdomains run HTTPS without errors. No mixed content, no expired certs.
- 2Add the HSTS header via your web server or Cloudflare: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- 3Run the header at a short max-age first (e.g. 86400, one day) for a couple of months. You can still back out without damage.
- 4No issues? Set max-age to 31536000 (a year) and keep that for a week or two.
- 5Submit the domain at hstspreload.org. Google's list leads; other browsers follow.
- 6Document HSTS preload is active: rollback takes months to a year as browsers cache the rule.
When to bring us in
Operating for an org where HTTP fallback could ever be needed (legacy systems, IoT on subdomains)? Don't enable HSTS preload without a security engineer who weighed the impact.
See also
- WordPress, plugins and theme have gone 6+ months without updatesOut-of-date WP is the number-one entry for malware. Don't just hit 'update all', back up first.
- Theme update broke the layout or threw a fatal errorThemes overwrite custom CSS on update unless you use a child theme.
- WordPress shows a blank screen after a plugin install or updateWSOD (white screen of death) is usually one crashing plugin. You isolate it.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.