Monitoring and Testing HSTS
Monitoring and Testing HSTS
Browser testing:
// Check HSTS status in Chrome
// chrome://net-internals/#hsts
// Test HSTS with curl
curl -I https://example.com -v
// Automated HSTS monitoring
const https = require('https');
function checkHSTS(hostname) {
return new Promise((resolve, reject) => {
https.get(`https://${hostname}`, (res) => {
const hsts = res.headers['strict-transport-security'];
resolve({
hostname,
hasHSTS: !!hsts,
value: hsts,
maxAge: hsts ? parseInt(hsts.match(/max-age=(\d+)/)?.[1]) : 0,
includesSubdomains: hsts?.includes('includeSubDomains'),
preload: hsts?.includes('preload')
});
}).on('error', reject);
});
}
// Monitor multiple domains
const domains = ['example.com', 'app.example.com', 'api.example.com'];
Promise.all(domains.map(checkHSTS))
.then(results => console.log('HSTS Status:', results));