HTTP Strict Transport Security (HSTS)
HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
HSTS adds an HTTP header that directs compliant web browsers to:
- Transform HTTP links to HTTPS links
- Prevent users from bypassing SSL browser warnings
Before enabling HSTS, review the requirements.
Availability
Free | Pro | Business | Enterprise | |
Availability | Yes | Yes | Yes | Yes |
Requirements
In order for HSTS to work as expected, you need to:
- Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
- Keep HTTPS enabled so visitors can access your site
Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:
- Changing your DNS records from Proxied to DNS only
- Pausing Cloudflare on your site
- Pointing your nameservers away from Cloudflare
- Redirecting HTTPS to HTTP
- Disabling SSL (invalid or expired certificates or certificates with mismatched hostnames)
Enable HSTS
To enable HSTS using the dashboard:
- Log in to the Cloudflare dashboard and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For HTTP Strict Transport Security (HSTS), select Enable HSTS.
- Read the dialog and select I understand.
- Select Next.
- Configure the HSTS settings.
- Select Save.
To enable HSTS with the API, send a
PATCH
request with the value
object that includes your HSTS settings. Disable HSTS
To disable HSTS on your website:
- Log in to the Cloudflare dashboard and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For HTTP Strict Transport Security (HSTS), select Enable HSTS.
- Set the Max Age Header to 0 (Disable).
- If you previously enabled the No-Sniff header and want to remove it, set it to Off.
- Select Save.
Configuration settings
Name | Required | Description | Options |
---|---|---|---|
Enable HSTS (Strict-Transport-Security) | Yes | Serves HSTS headers to browsers for all HTTPS requests. HTTP (non-secure) requests will not contain the header. | Off / On |
Max Age Header (max-age) | Yes | Specifies duration for a browser HSTS policy and requires HTTPS on your website. | Disable, or a range from 1 to 12 months |
Apply HSTS policy to subdomains (includeSubDomains) | No | Applies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS. | Off / On |
Preload | No | Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request from HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible. | Off / On |
No-Sniff Header | No | Sends the X-Content-Type-Options: nosniff header to prevent Internet Explorer
and Chrome from automatically detecting a content type other than those explicitly specified
by the Content-Type header. | Off / On |