Can we enable HSTS at CloudFlare and hosting server?

I enabled HSTS at the server where I host one of the domain names I have at Cloudflare. They provided a free Let’s Encrypt SSL/TLS certificate.

Does it make sense if I enable HSTS at Cloudflare as well for the same domain name?

Thank you!

The HSTS header should pass through to the users (which are the ones that need to see it, otherwise it’s useless), just check it’s there.

As I read it, you highlighted the fact that the actual role of HSTS is to protect user’s security when they access our website. For instance, in case they type “” instead of “”, which is exactly what most people do. I understand hackers could take advantage of the time elapsing during transfer from HTTP to HTPPS and this is exactly the reason why HSTS comes into scene to ensure that only HTTPS connection are displayed.

I am just trying to know if I can enable HSTS at both ends: (1) at Cloudflare (domain registrar), and (2) at the server of the company where the domain name is hosted. The point of my question is to avoid conflict because the SSL/TLS certificate was issued by the hosting company.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.