What does the HSTS Checker API do?

It checks whether a domain sends a valid HTTP Strict Transport Security (HSTS) header and extracts its policy details.

Does this API modify the target site?

No. The API performs a read-only HTTPS request and inspects response headers.

Can this API be used for monitoring?

Yes. It is suitable for automation, audits, and security monitoring workflows.

Developer interface

HSTS Checker API

Detect and analyse HTTP Strict Transport Security (HSTS) headers for any domain.

The Velohost HSTS Checker API provides a programmatic way to inspect HTTP Strict Transport Security (HSTS) policies for any HTTPS-enabled domain.

It performs a live HTTPS request and analyses the Strict-Transport-Security response header.

Base API URL

All endpoints listed below are relative to this base URL.

Base API URL https://api.velohost.co.uk/hsts-checker/

Rate limiting

This API is protected by a global rate limit to ensure fair usage and platform stability.

Limit: 30 requests per 10 seconds per IP address
Burst traffic is allowed
No authentication required
Requests exceeding the limit return HTTP 429

This limit applies across all Velohost public APIs.

Error responses

The API uses standard HTTP status codes to indicate errors.

429 Too Many Requests

Returned when the global rate limit is exceeded.

{
  "detail": "Rate limit exceeded"
}

400 Bad Request

Returned when the domain parameter is missing or invalid.

Endpoints

Check HSTS policy

Performs an HTTPS request to the target domain and inspects the Strict-Transport-Security response header.

Request

GET /lookup?domain=example.com

Response

{
"domain": "example.com",
  "hsts_enabled": false,
  "max_age": null,
  "include_subdomains": false,
  "preload": false,
  "raw_header": null,
  "source": "https-response"
}

Learn more

Explore the tool, documentation, and guides.

Use the HSTS Checker tool HSTS FAQs