HTTP Strict Transport Security (HSTS)
HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.HSTS adds an HTTP header that directs compliant web browsers to:
- Transform HTTP links to HTTPS links
- Prevent users from bypassing SSL browser warnings
Before enabling HSTS, review the requirements.
Requirements
In order for HSTS to work as expected, you need to:
- Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
- Keep HTTPS enabled so visitors can access your site
Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:
- Changing your DNS records from Proxied to DNS only
- Pausing Cloudflare on your site
- Pointing your nameservers away from Cloudflare
- Redirecting HTTPS to HTTP
- Disabling SSL (invalid or expired certificates or certificates with mismatched host names)
Enable HSTS
To enable HSTS using the dashboard:
- Log in to the Cloudflare dashboard and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For HTTP Strict Transport Security (HSTS), click Enable HSTS.
- Read the dialog and click I understand.
- Click Next.
- Configure the HSTS settings.
- Click Save.
To enable HSTS with the API, send a PATCH request with the value object that includes your HSTS settings.
Disable HSTS
To disable HSTS on your website:
- Log in to the Cloudflare dashboard and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For HTTP Strict Transport Security (HSTS), click Enable HSTS.
- Set the Max Age Header to 0 (Disable).
- If you previously enabled the No-Sniff header and want to remove it, set it to Off.
- Click Save.
Configuration settings
| Name | Required | Description | Options |
|---|---|---|---|
| Enable HSTS (Strict-Transport-Security) | Yes | Serves HSTS headers to browsers for all HTTPS requests. | Off / On |
| Max Age Header (max-age) | Yes | Specifies duration for a browser HSTS policy and requires HTTPS on your website. | Disable, or a range from 1 to 12 months |
| Apply HSTS policy to subdomains (includeSubDomains) | No | Applies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS. | Off / On |
| Preload | No | Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request from HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible. | Off / On |
| No-Sniff Header | No | Sends the X-Content-Type-Options: nosniff header to prevent Internet Explorer
and Chrome from automatically detecting a content type other than those explicitly specified
by the Content-Type header. | Off / On |