Cloudflare supports HTTP Strict Transport Security (HSTS) to help secure your HTTPS web server from man-in-the middle downgrade attacks, such as SSL stripping attacks.
Overview
HSTS is a web security technology that secures HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of man-in-the-middle attack in which an attacker redirects web browsers from a correctly configured HTTPS web server to a malicious server.
HSTS consists of an HTTP header with several parameters that direct compliant web browsers to:
- turn all HTTP links into HTTPS links, and
- upgrade all browser SSL warnings into errors that cannot be bypassed to view the website.
Refer to the prerequisites before enabling HSTS.
Prerequisites
Enabling HTTP Strict Transport Security (HSTS) improves the security of your website. However, there are important considerations to keep in mind:
- Enable HTTPS before HSTS or browsers cannot accept your HSTS settings.
- Once HSTS is enabled, HTTPS must remain enabled or visitors cannot access your site.
Enable HSTS
To enable HSTS:
1. Log in to the Cloudflare dashboard.
2. Click the appropriate Cloudflare account for the domain requiring HSTS.
3. Ensure the proper domain is selected.
4. Click on the Cloudflare SSL/TLS app.
5. Click on the Edge Certificates tab.
6. Click Enable HSTS under the HTTP Strict Transport Security (HSTS) section.
7. A confirmation window appears. Review the warning content.
8. To proceed, click I Understand.
9. Click Next.
10. Configure HSTS settings appropriate for your domain. At least configure Max Age Header in order to enable HSTS:
Setting Name |
Description |
Options |
Enable HSTS (Strict-Transport-Security) |
Serves HSTS headers to browsers for all HTTPS requests. |
Off / On |
Max Age Header (max-age) |
Specifies the duration a browser enforces HSTS policy and requires HTTPS to be configured properly for your website. |
Disable, or a range from 1 to 12 months |
Apply HSTS policy to subdomains (includeSubDomains) |
Applies the HSTS policy from a parent domain (example.com) to subdomains (www.development.example.com or api.example.com). |
Off / On |
Preload |
Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request form HTTPS to HTTP. Without preload, HSTS is only set after an initial successful HTTPS request. |
Off / On |
No-Sniff Header |
Sends the X-Content-Type-Options: nosniff header to prevent Internet Explorer and Chrome browsers from automatically detecting a content type other than explicitly specified by the Content-Type header. |
Off / On |
10. Click Save.
If your origin web server does not have a valid SSL certificate provided by a Certificate Authority, avoid these actions:
- grey clouding the domain via the Cloudflare DNS app
- pausing the Cloudflare service via the Cloudflare Overview app
- pointing nameservers away from Cloudflare
Other actions to avoid include
- redirecting HTTPS to HTTP
- uploading a misconfigured custom SSL certificate containing:
- invalid SSL certificates
- expired certificates
- mismatched host names
Disable HSTS
Follow the procedure below to disable HTTPS on your domain:
1. Log in to the Cloudflare dashboard.
2. Click the appropriate Cloudflare account for the domain no longer requiring HSTS.
3. Ensure the proper domain is selected.
4. Click on the Cloudflare SSL/TLS app.
5. Click Enable HSTS under the HTTP Strict Transport Security (HSTS) section.
6. A confirmation window appears. Review the warning content.
7. Click I Understand.
8. Click Next.
10. Set Max Age Header to 0 (Disable).
Related resources