Does Cloudflare offer HSTS (HTTP Strict Transport Security)?

Cloudflare supports HTTP Strict Transport Security (HSTS) to help secure your HTTPS web server from a downgrade or SSL stripping attack.


Overview

HSTS (RFC 6797) is a web security policy technology that helps secure HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of man-in-the-middle attack in which an attacker can redirect web browsers from a correctly configured HTTPS web server to an attacker-controlled server.

HSTS consists of an HTTP header with several parameters that directs compliant web browsers to strictly enforce web security practices, specifically turning all HTTP links into HTTPS links within an application, and upgrading all SSL errors from warnings or bypassable errors into non-bypassable errors.


Enable HSTS

You can enable HSTS in the Crypto app of the Cloudflare dashboard.

cf_crypto_hsts.png

Improperly configuring HSTS can have lasting effects on the availability of your site.  Before enabling HSTS, carefully review the information described in both the Help link and the Acknowledgement that appear in the Cloudflare dashboard.

Contact Cloudflare Support if you need guidance in configuring HSTS.


Related resources

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk