HTTP Strict Transport Security (HSTS)HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
- Transform HTTP links to HTTPS links
- Prevent users from bypassing SSL browser warnings
In order for HSTS to work as expected, you need to:
- Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
- Keep HTTPS enabled so visitors can access your site
Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:
- Changing your DNS records from
- on your site
- Pointing your nameservers away from Cloudflare
- Redirecting HTTPS to HTTP
- Disabling SSL (invalid or expired certificates or certificates with mismatched host names)
To enable HSTS for your website:
Log in to the Cloudflare dashboard and select your account.
Select your website.
Go to SSL/TLS > Edge Certificates.
For HTTP Strict Transport Security (HSTS), click Enable HSTS.
Read the dialog and click I understand.
To disable HSTS on your website:
- Log in to the Cloudflare dashboard and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For HTTP Strict Transport Security (HSTS), click Enable HSTS.
- Set the Max Age Header to 0 (Disable).
- If you previously enabled the No-Sniff header and want to remove it, set it to Off.
- Click Save.
|Enable HSTS (Strict-Transport-Security)||Yes||Serves HSTS headers to browsers for all HTTPS requests.||Off / On|
|Max Age Header (max-age)||Yes||Specifies duration for a browser HSTS policy and requires HTTPS on your website.||Disable, or a range from 1 to 12 months|
|Apply HSTS policy to subdomains (includeSubDomains)||No||Applies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS.||Off / On|
|Preload||No||Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request from HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible.||Off / On|
|No-Sniff Header||No||Sends the ||Off / On|