Bobcares
Client Area
Emergency Support
Cloudflare | Latest

Cloudflare HSTS Settings | Essential Steps

by | Jun 19, 2022

Cloudflare HSTS settings protect HTTPS web servers against downgrade attacks.

Bobcares answers to all inquiries, big or small, as part of our Server Management service.

Let’s look at the Cloudflare HSTS settings in more detail.

Cloudflare HSTS settings

HSTS defends HTTPS servers against downgrade attacks. These attacks cause web browsers to be redirected from an HTTPS web server to a server controlled by the attacker, allowing bad actors to access user data and cookies.

HSTS adds an HTTP header to compliant web browsers that tells them to go to:

  • Convert HTTP links to HTTPS links.
  • Prevent users from ignoring SSL warnings in their browsers.

Review the requirements before enabling HSTS.

​​Requirements

In order for HSTS to function properly, we must:

  • Before HSTS, enable HTTPS so that browsers can accept the HSTS settings.
  • Ensure that HTTPS is enabled so that visitors can access the site securely.

To ensure that visitors can still access the site after we enabled HSTS, avoid the following actions:

  • DNS records are changed from proxied to DNS only.
  • Cloudflare is currently paused on the site.
  • The nameservers are being pointed away from Cloudflare.
  • Changing HTTPS to HTTP
  • SSL deactivation (invalid or expired certificates or certificates with mismatched host names)

If we disable HTTPS before disabling HSTS or before waiting for the original Max Age Header specified in the Cloudflare HSTS configuration to expire, we’ll have a problem. For the duration of the Max Age Header or until HTTPS is enabled, the website is inaccessible to visitors.

​​Enable HSTS

To enable HSTS for the website, follow these steps:

  1. Firstly, select the account from the Cloudflare dashboard.
  2. Then, select the website.
  3. Then, select SSL/TLS > Edge Certificates from the drop-down menu.
  4. Click Enable HSTS for HTTP Strict Transport Security (HSTS).
  5. After reading the dialogue, select I understand.
  6. Then, click Next.
  7. Then, Set the HSTS parameters.
  8. Finally, click Save.

​​Disable HSTS

To turn off HSTS on the website, go to:

  1. Firstly, Select the account from the Cloudflare dashboard.
  2. Then, Select the website.
  3. Then, Select SSL/TLS > Edge Certificates.
  4. Enable HSTS for HTTP Strict Transport Security (HSTS).
  5. Then, Set the Max Age Header to 0 (Disable).
  6. Set the No-Sniff header to Off if we previously enabled it and want to disable it.
  7. Finally, Click Save.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To sum up, our Support team reviewed the Cloudflare HSTS settings in greater depth.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Related posts:

  1. Cloudflare Modsecurity
  2. Cloudflare WAF false positives
  3. Cloudflare Origin Certificate Not Trusted : How to solve ?
  4. Cloudflare Automatic HTTPS Rewrites | How to enable

2 Comments

  1. Chip
    Chip on 2022-10-25 at 00:32

    Clouflare recommends 6 months for max-age but hstspreload .org 1 year.
    What value should I use?

    Reply
    • Hiba Razak
      Hiba Razak on 2022-10-31 at 16:28

      You can give 1 year as max-age value.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. Cloudflare Modsecurity
  2. Cloudflare WAF false positives
  3. Cloudflare Origin Certificate Not Trusted : How to solve ?
  4. Cloudflare Automatic HTTPS Rewrites | How to enable

Never again lose customers to poor
server speed! Let us help you.

GET STARTED