What Is it?
HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of man-in-the-middle attack in which an attacker can redirect web browsers from a correctly configured HTTPS web server to an attacker-controlled server.
HSTS consists of an HTTP header with several parameters which causes compliant browsers to strictly enforce web security practices, specifically turning all HTTP links into HTTPS links within an application, and upgrading all SSL errors from warnings or bypassable errors into non-bypassable errors.
How Do I Enable It?
Customers that want to enable HSTS can do so in their SSL settings, which can be found under the Crypto option of their account page.
Improperly configuring HSTS can have lasting effects on the availability of your site. Before enabling HSTS you should ensure that the SSL configuration for your site is stable, and remains so for the duration of the HSTS policy.
If your site becomes inaccessible over HTTPS at any point whilst HSTS is enabled and a policy is cached, your site will be completely inaccessible (even over HTTP) until either the site is reachable over HTTPS, or the HSTS policy expires or is purged within the visitors' browser cache.
If you have any queries before enabling this, please reach out to [email protected] and our support team will be happy to take a look for you.
Additional information about Cloudflare's HSTS support can be found in our blog post here: Enforce Web Policy With HSTS