English (US) Deutsch Español (España) Français (France) 日本語 한국어 Português do Brasil 简体中文

Cloudflare Help Center

Detailed system status >

Articles in this section

Connect with the Cloudflare Community

Get answers

Understanding HSTS (HTTP Strict Transport Security)

  • Updated

Cloudflare supports HTTP Strict Transport Security (HSTS) to help secure your HTTPS web server from on-path downgrade attacks, such as SSL stripping attacks.

Overview

HSTS is a web security technology that secures HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of on-path attack in which an attacker redirects web browsers from a correctly configured HTTPS web server to a malicious server.

HSTS consists of an HTTP header with several parameters that direct compliant web browsers to:

  • turn all HTTP links into HTTPS links, and
  • upgrade all browser SSL warnings into errors that cannot be bypassed to view the website.

Refer to the prerequisites before enabling HSTS.

Prerequisites

Enabling HTTP Strict Transport Security (HSTS) improves the security of your website. However, there are important considerations to keep in mind:

  • Enable HTTPS before HSTS or browsers cannot accept your HSTS settings.
  • Once HSTS is enabled, HTTPS must remain enabled or visitors cannot access your site.

Enable HSTS

If SSL or HTTPS is disabled while HSTS is enabled, visitors cannot access your site for the duration specified by the Max Age Header. For example, if the Max Age Header is set to 6 months and you disable HTTPS 2 months after enabling HSTS, browsers that visited your site while HSTS was enabled cannot visit your site for another 4 months unless HTTPS is again enabled.

To enable HSTS:

  1. Log in to the Cloudflare dashboard.
  2. Click the appropriate Cloudflare account for the domain requiring HSTS.
  3. Ensure the proper domain is selected.
  4. Click on the Cloudflare SSL/TLS app.
  5. Click on the Edge Certificates tab.
  6. Click Enable HSTS under the HTTP Strict Transport Security (HSTS) section.
  7. A confirmation window appears. Review the warning content.
  8. To proceed, click I Understand.
  9. Click Next.
  10. Configure HSTS settings appropriate for your domain.  At least configure Max Age Header in order to enable HSTS: type: embedded-entry-inline id: 5bhR1Q3aG03c7uwlQk0Nof
  11. Click Save.

Once HSTS Preload is configured, submit requests for addition to each browser’s preload list. Chrome, Firefox/Mozilla and Safari use the Chrome preload list. A minimum Max Age Header of 12 months is required for inclusion in HSTS preload lists.

The actions listed below disable HTTPS and must be avoided while HSTS is enabled.

If your origin web server does not have a valid SSL certificate provided by a Certificate Authority, avoid these actions:

Other actions to avoid include

  • redirecting HTTPS to HTTP
  • uploading a misconfigured containing:
    • invalid SSL certificates
    • expired certificates
    • mismatched host names

Disable HSTS

If you remove HTTPS before disabling HSTS or before waiting for the duration of the original Max Age Header specified in your Cloudflare HSTS configuration, your website becomes inaccessible to visitors for the duration of the Max-Age Header or until you enable HTTPS.

Follow the procedure below to disable HTTPS on your domain:

  1. Log in to the Cloudflare dashboard.
  2. Click the appropriate Cloudflare account for the domain no longer requiring HSTS.
  3. Ensure the proper domain is selected.
  4. Click on the Cloudflare SSL/TLS app.
  5. Click Enable HSTS under the HTTP Strict Transport Security (HSTS) section.
  6. A confirmation window appears. Review the warning content.
  7. Click I Understand.
  8. Click Next.
  9. Set Max Age Header to 0 (Disable).

The No-Sniff Header is still set even when HSTS is disabled unless you explicitly disable the No-Sniff header.

Related resources

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request

Related articles

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request