What does max-age actually do?

It tells the browser to remember "this domain is HTTPS-only" for that many seconds. While the memory holds, the browser refuses any plain-http navigation to the domain and upgrades it to https before sending.

Is preload reversible?

Slowly. Submitting to the Chromium preload list is easy; removal requires a separate request and can take months to propagate to all browser releases. Don't enable preload until you're sure every subdomain works on HTTPS.

HSTS Header Builder

Network

Turns a small set of toggles into the Strict-Transport-Security header that tells every browser to stick to HTTPS on your domain. Includes three presets — a 5-minute rollout window for new policies, a sane 1-year production setting with includeSubDomains, and the 2-year+ configuration that the HSTS preload list requires. The eligibility block lights up when your settings match Chromium's preload submission requirements so you know it's safe to apply.

—

Presets

max-age (seconds)Duration: 1.00 y · 63072000 (2 y) required for the preload list.

includeSubDomainspreload

Response header

Strict-Transport-Security: max-age=31536000; includeSubDomains

Preload list eligibilityNot eligible

✓max-age ≥ 31536000 (1 year)
✓includeSubDomains is on
×preload directive is on

Apply this on every HTTPS response. Only the eldest matching policy a browser has seen is the one it enforces.

How to use

Start with the rollout preset (5 min) when first turning HSTS on — it's easy to back out if something breaks.
Once stable, jump to the production preset (1 year + includeSubDomains).
Only enable preload when you've confirmed every subdomain works on HTTPS forever — preload removal takes months.

Frequently asked questions

What does max-age actually do?: It tells the browser to remember "this domain is HTTPS-only" for that many seconds. While the memory holds, the browser refuses any plain-http navigation to the domain and upgrades it to https before sending.
Is preload reversible?: Slowly. Submitting to the Chromium preload list is easy; removal requires a separate request and can take months to propagate to all browser releases. Don't enable preload until you're sure every subdomain works on HTTPS.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00