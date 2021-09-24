Skip to content
HTTP Strict Transport Security (HSTS)

HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.

HSTS adds an HTTP header that directs compliant web browsers to:

  • Transform HTTP links to HTTPS links
  • Prevent users from bypassing SSL browser warnings

Before enabling HSTS, review the requirements.

Requirements

In order for HSTS to work as expected, you need to:

  • Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
  • Keep HTTPS enabled so visitors can access your site

Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:

Enable HSTS

To enable HSTS for your website:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For HTTP Strict Transport Security (HSTS), click Enable HSTS.
  5. Read the dialog and click I understand.
  6. Click Next.
  7. Configure the HSTS settings.
  8. Click Save.

Disable HSTS

To disable HSTS on your website:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For HTTP Strict Transport Security (HSTS), click Enable HSTS.
  5. Set the Max Age Header to 0 (Disable).
  6. If you previously enabled the No-Sniff header and want to remove it, set it to Off.
  7. Click Save.

Configuration settings

NameRequiredDescriptionOptions
Enable HSTS (Strict-Transport-Security)YesServes HSTS headers to browsers for all HTTPS requests.Off / On
Max Age Header (max-age)YesSpecifies duration for a browser HSTS policy and requires HTTPS on your website.Disable, or a range from 1 to 12 months
Apply HSTS policy to subdomains (includeSubDomains)NoApplies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS.Off / On
PreloadNoPermits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request form HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible.Off / On
No-Sniff HeaderNoSends the X-Content-Type-Options: nosniff header to prevent Internet Explorer and Chrome from automatically detecting a content type other than those explicitly specified by the Content-Type header.Off / On