If I enable the Cloudflare HSTS setting on a zone, is there any risk of duplicate/conflicting HSTS headers if some of my subdomain origins in the zone already send an HSTS header?
It’s fine if your origin sends its own HSTS header. If you have Cloudflare HSTS enabled, it will overwrite any HSTS header that your origin sends. It’s still a good idea to have your origin send the header, in case it also serves non-proxied traffic, or if you ever need to temporarily or permanently unproxy some/all your traffic for whatever reason.
Make sure to submit your domains to https://hstspreload.org/ (if you’re sure you’ll never need to use them for non-encrypted traffic)
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.