diff --git a/pkgs/development/libraries/libhsts/default.nix b/pkgs/development/libraries/libhsts/default.nix
new file mode 100644
index 00000000000..df53e7d294f
--- /dev/null
+++ b/pkgs/development/libraries/libhsts/default.nix
@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitLab, fetchurl, autoconf-archive, autoreconfHook, pkg-config, python3 }:
+let
+  chromium_version = "90.0.4417.1";
+
+  hsts_list = fetchurl {
+    url = "https://raw.github.com/chromium/chromium/${chromium_version}/net/http/transport_security_state_static.json";
+    sha256 = "09f24n30x5dmqk8zk7k2glcilgr27832a3304wj1yp97158sqsfx";
+  };
+
+in
+stdenv.mkDerivation rec {
+  pname = "libhsts";
+  version = "0.1.0";
+
+  src = fetchFromGitLab {
+    owner = "rockdaboot";
+    repo = pname;
+    rev = "libhsts-${version}";
+    sha256 = "0gbchzf0f4xzb6zjc56dk74hqrmdgyirmgxvvsqp9vqn9wb5kkx4";
+  };
+
+  postPatch = ''
+    pushd tests
+    cp ${hsts_list} transport_security_state_static.json
+    sed 's/^ *\/\/.*$//g' transport_security_state_static.json >hsts.json
+    popd
+    patchShebangs src/hsts-make-dafsa
+  '';
+
+  nativeBuildInputs = [ autoconf-archive autoreconfHook pkg-config python3 ];
+
+  outputs = [ "out" "dev" ];
+
+  meta = with lib; {
+    description = "Library to easily check a domain against the Chromium HSTS Preload list";
+    homepage = "https://gitlab.com/rockdaboot/libhsts";
+    license = with licenses; [ mit bsd3 ];
+    maintainers = with maintainers; [ SuperSandro2000 ];
+  };
+}
diff --git a/pkgs/development/libraries/libhsts/update.sh b/pkgs/development/libraries/libhsts/update.sh
new file mode 100755
index 00000000000..f80966e08c9
--- /dev/null
+++ b/pkgs/development/libraries/libhsts/update.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl jq
+
+set -euo pipefail -x
+
+cd "$(dirname "$0")"
+
+chromium_version=$(curl -s "https://api.github.com/repos/chromium/chromium/tags" | jq -r 'map(select(.prerelease | not)) | .[1].name')
+sha256=$(nix-prefetch-url "https://raw.github.com/chromium/chromium/$chromium_version/net/http/transport_security_state_static.json")
+
+sed -e "0,/chromium_version/s/chromium_version = \".*\"/chromium_version = \"$chromium_version\"/" \
+    -e "0,/sha256/s/sha256 = \".*\"/sha256 = \"$sha256\"/" \
+  --in-place ./default.nix
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 86cefd9f946..806960b4ad4 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -13841,6 +13841,8 @@ in
 
   libgit2-glib = callPackage ../development/libraries/libgit2-glib { };
 
+  libhsts = callPackage ../development/libraries/libhsts { };
+
   glbinding = callPackage ../development/libraries/glbinding { };
 
   gle = callPackage ../development/libraries/gle { };