Understanding HSTS (HTTP Strict Transport Security)

Cloudflare supports HTTP Strict Transport Security (HSTS) to help secure your HTTPS web server from man-in-the middle downgrade attacks, such as SSL stripping attacks.


Overview

HSTS is a web security technology that secures HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of man-in-the-middle attack in which an attacker redirects web browsers from a correctly configured HTTPS web server to a malicious server.

HSTS consists of an HTTP header with several parameters that direct compliant web browsers to:

  • turn all HTTP links into HTTPS links, and
  • upgrade all browser SSL warnings into errors that cannot be bypassed to view the website.

Refer to the prerequisites before enabling HSTS.


Prerequisites

Enabling HTTP Strict Transport Security (HSTS) improves the security of your website. However, there are important considerations to keep in mind:

  • Enable HTTPS before HSTS or browsers cannot accept your HSTS settings.
  • Once HSTS is enabled, HTTPS must remain enabled or visitors cannot access your site.

Enable HSTS

If SSL or HTTPS is disabled while HSTS is enabled, visitors cannot access your site for the duration specified by the Max Age Header. For example, if the Max Age Header is set to 6 months and you disable HTTPS 2 months after enabling HSTS, browsers that visited your site while HSTS was enabled cannot visit your site for another 4 months unless HTTPS is again enabled.

To enable HSTS:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account for the domain requiring HSTS.

3. Ensure the proper domain is selected.

4. Click on the Cloudflare Crypto app.

5. Click Enable HSTS under the HTTP Strict Transport Security (HSTS) section.

6. A confirmation window appears. Review the warning content.

7. To proceed, click I Understand.

8. Click Next.

9. Configure HSTS settings appropriate for your domain.  At least configure Max Age Header in order to enable HSTS:

 

Setting Name

Description

Options

Enable HSTS (Strict-Transport-Security)

Serves HSTS headers to browsers for all HTTPS requests.

Off / On

Max Age Header (max-age)

Specifies the duration a browser enforces HSTS policy and requires HTTPS to be configured properly for your website.

Disable,

or a range from 1 to 12 months

Apply HSTS policy to subdomains (includeSubDomains)

Applies the HSTS policy from a parent domain (example.com) to subdomains (www.development.example.com or api.example.com).

Your subdomains become inaccessible if they do not support HTTPS.

Off / On

Preload

Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request form HTTPS to HTTP. Without preload, HSTS is only set after an initial successful HTTPS request.

Preload can make a website without HTTPS support completely inaccessible.

Off / On

No-Sniff Header

Sends the X-Content-Type-Options: nosniff header to prevent Internet Explorer and Chrome browsers from automatically detecting a content type other than explicitly specified by the Content-Type header.

Off / On

10. Click Save.

Once HSTS Preload is configured, submit requests for addition to each browser’s preload list. Chrome, Firefox/Mozilla and Safari use the Chrome preload list. A minimum Max Age Header of 12 months is required for inclusion in HSTS preload lists.
The actions listed below disable HTTPS and must be avoided while HSTS is enabled.

If your origin web server does not have a valid SSL certificate provided by a Certificate Authority, avoid these actions:

Other actions to avoid include

  • redirecting HTTPS to HTTP
  • uploading a misconfigured custom SSL certificate containing:
    • invalid SSL certificates
    • expired certificates
    • mismatched host names

Disable HSTS

If you remove HTTPS before disabling HSTS or before waiting for the duration of the original Max Age Header specified in your Cloudflare HSTS configuration, your website becomes inaccessible to visitors for the duration of the Max Age Header or until you enable HTTPS.

Follow the procedure below to disable HTTPS on your domain:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account for the domain no longer requiring HSTS.

3. Ensure the proper domain is selected.

4. Click on the Cloudflare Crypto app.

5. Click Enable HSTS under the HTTP Strict Transport Security (HSTS) section.

6. A confirmation window appears. Review the warning content.

7. Click I Understand.

8. Click Next.

10. Set Max Age Header to 0 (Disable)


Related resources

Enforce Web Policy With HSTS

 

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk