How can I see which sites have set the HSTS flag in my browser?

Question

My question is about Firefox and Chrome.

Is there a possibility to see which sites have set the HSTS flag in my browser?

For those on MacOS, the Firefox profile directories are under: `~/Library/Application\ Support/Firefox/Profiles` — Ajoy Bhatia, Nov 08 '16 at 22:46

score 39 · Accepted Answer · edited Oct 14 '19 at 15:52

39

Chrome:

Open Chrome
Type chrome://net-internals/#hsts in the address bar of chrome
Query domain: if it appears as a result, it is HSTS-enabled

Firefox:

Open file explorer
Copy and paste the following path into the address bar of your file explorer
- On Windows: %APPDATA%\Mozilla\Firefox\Profiles\
- On Linux: ~/.mozilla/firefox
- On Mac: ~/Library/Application Support/Firefox/Profiles
Double click the folder you see (if you have multiple Firefox profiles, there will be multiple folders)
Open SiteSecurityServiceState.txt. This textfile contains sites that have enabled HSTS.

edited Oct 14 '19 at 15:52

StackzOfZtuff

17,783
1
50
86

answered Jul 02 '15 at 12:23

Michael

5,393
2
32
57

1

So, there is no list for Chrome, just the queries? – HorstKevin Jul 02 '15 at 18:28
1

Not as far as I know. You could take a look at the preloaded list: http://www.chromium.org/hsts – Michael Jul 02 '15 at 18:51
Yes, I know. But there are also sites which I visited which are not on the preload list. – HorstKevin Jul 03 '15 at 07:05
I don't recall if it was there in 2015, but since at least my oldest mothballed system (XP, yes I said XP, with Firefox 52.9 from 2018) the in-use profile directory is available in Help / Troubleshooting Information – dave_thompson_085 Aug 20 '21 at 00:39

score 5 · Answer 2 · edited Aug 19 '21 at 14:39

5

There is a Firefox plug-in called PinPatrol that lists all sites (preloaded and visited) known to have HSTS support.

This is a Firefox extension that shows in a readable format, the state of HSTS and HPKP domains stored by the browser. Firefox does not have a native way to show these domains or this functionality documented.

edited Aug 19 '21 at 14:39

schroeder

123,438
55
284
319

answered Oct 03 '16 at 15:29

user126310

51
1
1

score 1 · Answer 3 · edited Aug 19 '21 at 13:55

1

You can find the full Chrome HSTS list in the Chromium source code file transport_security_state_static.json

Firefox uses the same list.

edited Aug 19 '21 at 13:55

schroeder

123,438
55
284
319

answered Aug 19 '21 at 13:50

H3V2

11
1

1

That's the preload list, and OP said in 2015 they don't want only preloads but also site dynamic settings. – dave_thompson_085 Aug 20 '21 at 00:41

How can I see which sites have set the HSTS flag in my browser?

3 Answers3