HSTS Preload Checklist

Problem

You want stronger HTTPS enforcement, but enabling HSTS preload too early can break subdomains or legacy traffic.

Symptoms

• HTTP checks show missing or weak Strict-Transport-Security headers.
• Some subdomains still depend on HTTP or incomplete TLS coverage.
• You are unsure whether the whole domain is ready for preload-level enforcement.

Top 3 Causes

1. Subdomains are not fully HTTPS-ready - Some hosts cannot reliably serve HTTPS yet.
2. Certificate coverage is incomplete - SAN or wildcard coverage is not wide enough for includeSubDomains.
3. Operational impact was not fully reviewed - Old links, redirects, or services still depend on HTTP behavior.

Diagnose with DechoNet

• HTTP Check to inspect the current Strict-Transport-Security header and redirect behavior.
• SSL Check to verify certificate health and hostname coverage across key subdomains.

Resolution Checklist

• Confirm the apex domain and important subdomains all work over HTTPS.
• Validate that certificate coverage is sufficient for the hosts affected by includeSubDomains.
• Make sure all HTTP requests consistently redirect to HTTPS.
• Review whether your header meets the expected max-age, includeSubDomains, and preload conditions.
• Check that no production subdomain still depends on HTTP-only access.

When to Escalate

• Escalate internally if multiple teams operate different subdomains and there is no domain-wide HTTPS policy.
• Delay preload if any critical host still cannot support full HTTPS enforcement safely.