Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

HTTP Strict Transport Security (HSTS)

HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.

HSTS adds an HTTP header that directs compliant web browsers to:

  • Transform HTTP links to HTTPS links
  • Prevent users from bypassing SSL browser warnings

Before enabling HSTS, review the requirements.


​​ Requirements

In order for HSTS to work as expected, you need to:

  • Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
  • Keep HTTPS enabled so visitors can access your site

Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:

​​ Enable HSTS

To enable HSTS using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For HTTP Strict Transport Security (HSTS), click Enable HSTS.
  5. Read the dialog and click I understand.
  6. Click Next.
  7. Configure the HSTS settings.
  8. Click Save.

To enable HSTS with the API, send a PATCH request with the value object that includes your HSTS settings.

​​ Disable HSTS

To disable HSTS on your website:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For HTTP Strict Transport Security (HSTS), click Enable HSTS.
  5. Set the Max Age Header to 0 (Disable).
  6. If you previously enabled the No-Sniff header and want to remove it, set it to Off.
  7. Click Save.

​​ Configuration settings

NameRequiredDescriptionOptions
Enable HSTS (Strict-Transport-Security)YesServes HSTS headers to browsers for all HTTPS requests.Off / On
Max Age Header (max-age)YesSpecifies duration for a browser HSTS policy and requires HTTPS on your website.Disable, or a range from 1 to 12 months
Apply HSTS policy to subdomains (includeSubDomains)NoApplies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS.Off / On
PreloadNoPermits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request from HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible.Off / On
No-Sniff HeaderNoSends the X-Content-Type-Options: nosniff header to prevent Internet Explorer and Chrome from automatically detecting a content type other than those explicitly specified by the Content-Type header.Off / On