What is the Hsts Checker API designed for?

It is designed for production diagnostics and automation workflows where teams need deterministic JSON output for monitoring, deployment checks, and incident triage.

What input formats are accepted for the domain parameter?

You can submit a plain domain, http URL, or https URL. The endpoint normalizes input to a hostname before lookup so integrations can pass user-entered values safely.

Is this endpoint stateless?

Yes. Requests are processed live and returned immediately. Submitted values are not persisted as long-term records by default.

How should teams handle rate limits?

Use retries with exponential backoff and queue burst traffic in workers. Avoid high-concurrency spikes from parallel CI jobs.

Can this endpoint be used in CI/CD and scheduled checks?

Yes. Responses are machine-readable and suitable for deployment gates, synthetic checks, and recurring monitoring tasks.

How should errors be handled in production?

Check HTTP status codes first, then parse structured JSON errors. Treat 4xx as input/config issues and 5xx as transient service failures requiring retry logic.

Is the API safe for compliance-sensitive workflows?

The endpoints are designed for stateless request/response diagnostics. For regulated environments, keep your own request logs and retention policies in your infrastructure.

Does this API guarantee rankings, indexing, or business outcomes?

No. It provides technical signals only. Outcomes depend on your implementation quality, infrastructure state, and external platform behavior.

HSTS Checker API

Detect and analyse HTTP Strict Transport Security (HSTS) headers for any domain.

Live diagnostics • Stateless processing • API-ready output

Last Updated: 01 April 2026

The Velohost HSTS Checker API provides a programmatic way to inspect HTTP Strict Transport Security (HSTS) policies for any HTTPS-enabled domain.

It performs a live HTTPS request and analyses the Strict-Transport-Security response header.

Base API URL

All endpoints listed below are relative to this base URL.

Base API URL https://api.velohost.co.uk/hsts-checker/

Rate Limiting

This API is protected by a global rate limit to ensure fair usage and platform stability.

Limit: 30 requests per 10 seconds per IP address
Burst traffic is allowed
No authentication required
Requests exceeding the limit return HTTP 429

This limit applies across all Velohost public APIs.

Error responses

The API uses standard HTTP status codes to indicate errors.

429 Too Many Requests

Returned when the global rate limit is exceeded.

{
  "detail": "Rate limit exceeded"
}

400 Bad Request

Returned when the domain parameter is missing or invalid.

Endpoints

Check HSTS policy

Performs an HTTPS request to the target domain and inspects the Strict-Transport-Security response header.

Request

GET /lookup?domain=example.com

Response

<lbrace>'<lbrace>'<rbrace>
  "domain": "example.com",
  "hsts_enabled": false,
  "max_age": null,
  "include_subdomains": false,
  "preload": false,
  "raw_header": null,
  "source": "https-response"
<lbrace>'<rbrace>'<rbrace>

Implementation Guidance

For production use, validate input before sending requests, implement retry with exponential backoff on 429 or transient failures, and log normalized responses for trend monitoring.

Learn more

Explore the tool, documentation, and guides.

Use the HSTS Checker Tool HSTS FAQs