HTTP Strict Transport Security – enable via CloudFlare

A relatively new term in the world of web security is HTTP Strict Transport Security (HSTS). Now that you have searched for it, you might be curious about what it is and if its required.

HTTP Strict Transport Security (HSTS) is basically a web security policy mechanism whose primary job is to protect the website’s from protocol downgrade attacks and cookie hijacking.

The HTTP response header sent to user agent from the server contains a field named “Strict-Transport-Security” over which the HSTS Policy is communicated. In short, HSTS Policy specifies a period of time during which the user agent should only access the server in a secure manner.

For example, we can configure a server to send a header such that future requests to the domain for the next 3 months (max-age is specified in seconds, max-age=7776000 is approximately3 months) use only HTTPS.

When a web application/ website issues an HSTS Policy to its users, the user agents are required to behave as follows:

1) It automatically turns up any insecure links (http://) referencing the web application into secure links (https://). (For instance, will be modified to before accessing the server.) If the security of the connection cannot be ensured (e.g. the server’s TLS certificate is not trusted), it displays an error message and does not allow the user to access the web application. It completely disallows the visitor from accessing the website unlike the case when expired / self signed certificates show warning but still allow visitors.

2) The HSTS Policy helps protect web application / website users against some passive (eavesdropping) and active network attacks. In simpler terms, man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user’s browser has HSTS Policy in effect for that web application.


So, is it possible to enable HTTP Strict Transport Security if you are using CloudFlare nameservers. Yes, you can.

Read below to find out how.

Before enabling, you should keep in mind the following points.

1) If you turn on HSTS and do not have HTTPS for your website, browsers will not accept the HSTS setting.

2) If you have HSTS enabled and leave CloudFlare, you need to continue to support HTTPS through a new service provider otherwise your site will become inaccessible to visitors until you support HTTPS again.

3) If you turn off CloudFlare’s HTTPS while HSTS is enabled, and you don’t have a valid SSL certificate on your origin server, your website will become inaccessible to visitors.

If you need to disable HTTPS on your domain, you must first disable HSTS in your CloudFlare dashboard and wait for the max-age to lapse to guarantee that every browser is aware of this change before you can disable HTTPS. The average max-age is six months (you can set the max-age in the next step). If you remove HTTPS before disabling HSTS your website will become inaccessible to visitors for up to the max-age or until you support HTTPS again. Because disabling HTTPS on an HSTS enabled website can have these consequences, we strongly suggest that you have a committed HTTPS service in place before enabling this feature.

Assuming, you have a Full SSL configuration active via CloudFlare, follow the steps below to activate HSTS.


  1. Login to CloudFlare panel >> Crypto




2. Now scroll down to HTTP Strict Transport Security (HSTS) and click the blue ‘Change HSTS Settings’ box.




3. Now, change the settings as follows:

Turn ON the Checkbox for Enable HSTS (Strict-Transport-Security). 

The Max Age Header (max-age) is the time the info is cached in systems. I suggest you to keep this as 0 first and after testing and making sure everything is fine, increase it to a higher value.

Keep the Apply HSTS policy to subdomains (includeSubDomains) as OFF. We dont want a subdomain we create being rendered blank just because we dont have an SSL generated at that time. Do we 😉

The rest of the settings, you can set as of your choice. The content explanation is self explaining. The settings I did is as below.



Now, save the configuration and everything should be fine.


You can check if HSTS is configured correctly checking the header of the website. You can check the header via the Browser or by checking its curl output. Here is mine

learnt@mysys$ curl -IL 2> /dev/null | grep ‘Strict-Transport-Security’

Strict-Transport-Security: max-age=7776000; preload

Hope this helps. If you face any difficulties, let me know.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.