| pcx_content_type | title | weight | layout |
|---|---|---|---|
how-to |
HTTP Strict Transport Security (HSTS) |
4 |
wide |
HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
HSTS adds an HTTP header that directs compliant web browsers to:
- Transform HTTP links to HTTPS links
- Prevent users from bypassing SSL browser warnings
Before enabling HSTS, review the requirements.
{{
}}For more background information on HSTS, see the introductory blog post.
{{
}}{{}}
In order for HSTS to work as expected, you need to:
- Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
- Keep HTTPS enabled so visitors can access your site
Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:
- Changing your DNS records from Proxied to DNS only
- Pausing Cloudflare on your site
- Pointing your nameservers away from Cloudflare
- Redirecting HTTPS to HTTP
- Disabling SSL (invalid or expired certificates or certificates with mismatched hostnames)
{{
}}If you remove HTTPS before disabling HSTS or before waiting for the duration of the original Max Age Header specified in your Cloudflare HSTS configuration, your website becomes inaccessible to visitors for the duration of the Max Age Header or until you enable HTTPS.
{{
}}{{}} {{}}
To enable HSTS using the dashboard:
- Log in to the Cloudflare dashboard and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For HTTP Strict Transport Security (HSTS), select Enable HSTS.
- Read the dialog and select I understand.
- Select Next.
- Configure the HSTS settings.
- Select Save.
{{}} {{}}
To enable HSTS with the API, send a PATCH request with security_header as the setting name in the URI path, and specify the value object that includes your HSTS settings.
{{}} {{}}
{{
}}To enable HSTS on a specific subdomain only, configure a subdomain setup. Alternatively, you can add the appropriate HSTS header at the origin, or use an HTTP response header modification rule.
{{
}}To disable HSTS on your website:
- Log in to the Cloudflare dashboard and select your account.
- Select your website.
- Go to SSL/TLS > Edge Certificates.
- For HTTP Strict Transport Security (HSTS), select Enable HSTS.
- Set the Max Age Header to 0 (Disable).
- If you previously enabled the No-Sniff header and want to remove it, set it to Off.
- Select Save.
| Name | Required | Description | Options |
|---|---|---|---|
| Enable HSTS (Strict-Transport-Security) | Yes | Serves HSTS headers to browsers for all HTTPS requests. HTTP (non-secure) requests will not contain the header. | Off / On |
| Max Age Header (max-age) | Yes | Specifies duration for a browser HSTS policy and requires HTTPS on your website. | Disable, or a range from 1 to 12 months |
| Apply HSTS policy to subdomains (includeSubDomains) | No | Applies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS. | Off / On |
| Preload | No | Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request from HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible. | Off / On |
| No-Sniff Header | No |
Sends the X-Content-Type-Options: nosniff header to prevent Internet Explorer
and Chrome from automatically detecting a content type other than those explicitly specified
by the Content-Type header.
|
Off / On |
{{
}}Once HSTS Preload is configured, submit requests for addition to each browser’s preload list. Chrome, Firefox/Mozilla, and Safari use the Chrome preload list. A minimum Max Age Header of 12 months is required for inclusion in HSTS preload lists.
{{
}}