Pshtt-Scan domains and return data based on HTTPS best practices.

pshtt ("pushed") is a tool to scan domains for HTTPS best practices. It saves its results to a CSV (or JSON) file.

Getting Started

pshtt can be installed as a module, or run directly from the repository.

Installed as a module

pshtt can be installed directly via pip:
pip install pshtt
It can then be run directly:
pshtt [options]

Running directly

To run the tool locally from the repository, without installing, first install the requirements:
pip install -r requirements.txt
Then run it as a module via python -m:
python -m pshtt.cli [options]

Usage and examples

pshtt [options] DOMAIN...
pshtt [options] INPUT

pshtt --output=homeland.csv --debug
pshtt --sorted current-federal.csv
Note: if INPUT ends with .csv, domains will be read from the first column of the CSV. CSV output will always be written to disk (unless --json is specified), defaulting to results.csv.


  -h --help                     Show this message.
  -s --sorted                   Sort output by domain, A-Z.
  -o --output=OUTFILE           Name output file. (Defaults to "results".)
  -j --json                     Get results in JSON. (Defaults to CSV.)
  -m --markdown                 Get results in Markdown. (Defaults to CSV.)
  -d --debug                    Print debug output.
  -u --user-agent=AGENT         Override user agent.
  -t --timeout=TIMEOUT          Override timeout (in seconds).
  -c --cache-third-parties=DIR  Cache third party data, and 
                                 what directory to cache it in.
  -f --ca-file=PATH             Specify custom CA bundle (PEM format)
Using your own CA Bundle
By default, pshtt relies on the root CAs that are trusted in the Mozilla root store. If you work behind a corporate proxy or have your own certificates that aren't publicly trusted, you can specify your own CA bundle:
pshtt --ca-file=/etc/ssl/ca.pem
Using Docker (optional)
./run [opts]
opts are the same arguments that would get passed to pshtt.

What's Checked?

A domain is checked on its four endpoints:
  • http://
  • http://www
  • https://
  • https://www
The following values are returned in results.csv:

Domain and redirect info

  • Domain - The domain you're scanning!
  • Base Domain - The base domain of Domain. For example, for a Domain of, the Base Domain will be Usually this is the second-level domain, but pshtt will download and factor in the Public Suffix List when calculating the base domain. (To cache the Public Suffix List, use --suffix-cache as documented above.)
  • Canonical URL - One of the four endpoints described above; a judgment call based on the observed redirect logic of the domain.
  • Live - The domain is "live" if any endpoint is live.
  • Redirect - The domain is a "redirect domain" if at least one endpoint is a redirect, and all endpoints are either redirects or down.
  • Redirect to - If a domain is a "redirect domain", where does it redirect to?

Landing on HTTPS

  • Valid HTTPS - A domain has "valid HTTPS" if it responds on port 443 at the hostname in its Canonical URL with an unexpired valid certificate for the hostname. This can be true even if the Canonical URL uses HTTP.
  • Defaults to HTTPS - A domain "defaults to HTTPS" if its canonical endpoint uses HTTPS.
  • Downgrades HTTPS - A domain "downgrades HTTPS" if HTTPS is supported in some way, but its canonical HTTPS endpoint immediately redirects internally to HTTP.
  • Strictly Forces HTTPS - This is different than whether a domain "defaults" to HTTPS. A domain "Strictly Forces HTTPS" if one of the HTTPS endpoints is "live", and if both HTTP endpoints are either down or redirect immediately to any HTTPS URI. An HTTP redirect can go to HTTPS on another domain, as long as it's immediate. (A domain with an invalid cert can still be enforcing HTTPS.)

Common errors

  • HTTPS Bad Chain - A domain has a bad chain if either HTTPS endpoint contains a bad chain.
  • HTTPS Bad Hostname - A domain has a bad hostname if either HTTPS endpoint fails hostname validation
  • HTTPS Expired Cert - A domain has an expired certificate if the either HTTPS endpoint has an expired certificate.


  • HSTS - A domain has HTTP Strict Transport Security enabled if its canonical HTTPS endpoint has HSTS enabled.
  • HSTS Header - This field provides a domain's HSTS header at its canonical endpoint.
  • HSTS Max Age - A domain's HSTS max-age is its canonical endpoint's max-age.
  • HSTS Entire Domain - A domain has HSTS enabled for the entire domain if its root HTTPS endpoint (not the canonical HTTPS endpoint) has HSTS enabled and uses the HSTS includeSubDomains flag.
  • HSTS Preload Ready - A domain is HSTS "preload ready" if its root HTTPS endpoint (not the canonical HTTPS endpoint) has HSTS enabled, has a max-age of at least 18 weeks, and uses the includeSubDomains and preload flag.
  • HSTS Preload Pending - A domain is "preload pending" when it appears in the Chrome preload pending list.
  • HSTS Preloaded - A domain is HSTS preloaded if its domain name appears in the Chrome preload list, regardless of what header is present on any endpoint.
  • Base Domain HSTS Preloaded - A domain's base domain is HSTS preloaded. This is subtly different from HSTS Entire Domain, which inpects headers on the base domain to see if HSTS is set correctly to encompass the entire zone. This checks the preload list directly.


These three fields use the previous results to come to high-level conclusions about a domain's behavior.
  • Domain Supports HTTPS - A domain 'Supports HTTPS' when it doesn't downgrade and has valid HTTPS, or when it doesn't downgrade and has a bad chain but not a bad hostname (a bad hostname makes it clear the domain isn't actively attempting to support HTTPS, whereas an incomplete chain is just a mistake.). Domains with a bad chain "support" HTTPS but user-side errors can be expected.
  • Domain Enforces HTTPS - A domain that 'Enforces HTTPS' must 'Support HTTPS' and default to HTTPS. For websites (where Redirect is false) they are allowed to eventually redirect to an https:// URI. For "redirect domains" (domains where the Redirect value is true) they must immediately redirect clients to an https:// URI (even if that URI is on another domain) in order to be said to enforce HTTPS.
  • Domain Uses Strong HSTS - A domain 'Uses Strong HSTS' when the max-age ≥ 31536000.

                                                  Source and download

No comments