Website Security Q&As Logo
Website Security Q&As Part of the Q&A Network
Q&A Logo

What’s the best approach to enforce HSTS preload for all subdomains?

Asked on Sep 16, 2025

Answer

To enforce HSTS preload for all subdomains, you should include the `preload` directive in your HSTS header and ensure your domain is submitted to the HSTS preload list. This helps browsers automatically enforce HTTPS for your domain and its subdomains. 
<!-- BEGIN COPY / PASTE -->
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    <!-- END COPY / PASTE -->
Additional Comment:
  • Ensure your entire site and all subdomains are served over HTTPS before enabling HSTS with `preload`.
  • Once preloaded, your domain will be hardcoded into browsers to enforce HTTPS, which cannot be easily reversed.
  • Regularly check your site's eligibility for the preload list at hstspreload.org.

✅ Answered with Security best practices.

Recommended Links:
PHP BootstrapSucuri Website Security
← Back to All Questions
The Q&A Network
Security
Ask about Website Security!
CSS
Ask anything CSS!
JavaScript
Ask anything JavaScript!
WordPress
Ask anything WordPress!
Performance
Ask about Core Web Vitals!
SEO
Ask about SEO!
Tailwind
Ask anything Tailwind!
AI
Ask anything AI!
AI Images
Ask about AI Images!
AI Video
Ask about AI Video!
Bootstrap
Ask anything Bootstrap!
Analytics
Ask about Analytics!
HTML
Ask anything HTML!
AI Audio
Ask anything AI Audio!
Web Hosting
Ask about Hosting!
Chatbots
Ask about Chatbots!
Monetization
Ask about Ad & Monetization!