How to easily enable HSTS with Cloudflare Matt B, April 16, 2024 Table of Contents IntroWhat is HSTS?Why would I use HSTS?Check if HSTS is enabledHow to enable HSTS with CloudflareVerifying the change was successfulWrapping upIntroIf you need to enable HSTS with Cloudflare, this guide will show you how. This is a very easy thing to do and it’s a good way to quickly and easily improve your website security for free.What is HSTS?HSTS stands for HTTP Strict Transport Security, it is a standard/policy that forces compliant browsers to upgrade any HTTP requests to HTTPS, and it also disallows users from bypassing SSL certificate warnings. Normally if you visit a site that has an invalid SSL, you can click a button in the browser to bypass this and proceed to the site, HSTS disables this.Additionally, bad actors may try to find weak points in your websites security by intentionally downgrading requests to HTTP. Let’s say you’ve got a redirect rule in your Apache/Nginx configuration that upgrades requests to HTTPS but for a certain request, the string matching doesn’t work and as such, the user is able to get to the resource via HTTP. This is where HSTS steps in, it will prevent that request from being fulfilled.Making this change, alongside forcing a minimum TLS version can be very beneficial to your website security.Why would I use HSTS?HSTS is used to help harden your website security. It acts as a way to catch any places you’ve missed HTTP -> HTTPS upgrade redirects, and it also ensures that people are not browsing your website if the certificate were to become invalid.While there are some ways around HSTS (intended for developer usage only), these would be unknown to the vast majority of “typical users”, the sort who would be able to normally click proceed if presented with a standard certificate error. Using HSTS makes an invalid-SSL website virtually unaccessible.HSTS is also quite often flagged by security checking tools, especially those that are determining if a site is PCI (Payment Card Industry) compliant. Enabling this could be the final step in getting your desired score/tick.Check if HSTS is enabledBefore proceeding with the rest of this guide, it’s a good idea to check if your website already uses HSTS. Some web hosts automatically implement HSTS, and some domain TLD’s (such as .dev) automatically implement HSTS. You can easily check if HSTS is in use by using one of several online checking tools. One I’d recommend is SecurityHeaders.comPlugging SystemsPro into SecurityHeaders currently, with HSTS off, returns this as part of the results:How to enable HSTS with CloudflareAs we’ve now verified that HSTS is not currently enabled, it’s time to get this adjusted in Cloudflare. Once you log in to Cloudflare, navigate to SSL/TLS -> Edge Certificates -> HTTP Strict Transport Security (HSTS)Once here, you’ll have a button to enable HSTS. Cloudflare will show you a number of warnings, this is because you need to consider the following points:If you’re using a certificate on your server and not using Cloudflare’s, if the certificate expires or otherwise invalid, HSTS will make your site unavailable.If you’re using HSTS but your web server isn’t configured to use HTTPS, your site will become unavailable.Accepting these warnings will then allow you to proceed with enabling HSTS. Cloudflare gives you a number of settings here which will need to be tailored to your setup. In our example, the settings are the ones below. It’s important to set a max-age value for this header. Typically, a month is common.Verifying the change was successfulAfter making the change, it is a good idea to check the site again with SecurityHeaders.comRunning the same test as before, we can now see that the strict-transport-security header is present, with a max-age value of 1 month as was specified above.Wrapping upThis guide has shown you how to enable and configure HSTS using Cloudflare. If you’ve got any questions or run into any problems, please feel free to leave a comment. Cloudflare Security SSL/TLS