Configuring HSTS in Cloudflare

#1

I have a few websites on CloudFlare set to Strict SSL, which connects to my server using Let’s Encrypt and this has worked successfully for a couple of years across two web hosts.

Earlier today, I did some testing on a non Cloudflare site and the following htaccess passes verification for the preload list with no difficulties accessing the site:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)
RewriteRule ^.*$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]


Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains" env=HTTPS 

The question I’m wondering about is how to configure this at Cloudflare when enabling it in the dashboard? There are various options, but if I have it set in the htaccess of the website is it even necessary to enable at Cloudflare in the dashboard?

1 Like
#2

A quick follow up here. I just tried adding that htaccess code to a domain on Cloudflare without switching on HSTS inside the Cloudflare dashboard and scored an A+ for security when tested at https://www.ssllabs.com/ssltest

Any thoughts or observations on best practices are welcome.

#3

Either way works. But doing it twice (both ways) often flags a warning.

I use the Cloudflare option in case I rebuild .htaccess and forget to put it back in.

#4

OK thanks, that makes sense I guess, though I tend to use fixed htaccess across different sites and any such error would be spotted quickly in theory. I may try one site using the Cloudflare setup, then see how they compare. One concern was having conflicts if using both as you have suggested.

#5

Using the Cloudflare option is usually faster since it doesn’t need to go to the origin for the redirect.

1 Like
#6

If your domain is on the preload list, visitors won’t even have to Cloudflare for the redirect. :wink:
https://hstspreload.org/

#7

That makes sense as well!

1 Like
#8

Not yet. I’ve avoided it while trying to find the best way forward.

1 Like
#9

Yeah, but that is a way bigger step! You would need to make it for all subdomains, it’s a heavy burden for many. It should be that way, I have my main domains on there, but not everyone can do so.

1 Like
#10

I checked with my web host Guru, who apply SSL by default through Let’s Encrypt and they said this applies to sub domains, but there is no wildcard option and they need to be added separately.

I’ve never needed to create a subdomain to date, so this aspect does not overly trouble me right now, however I’ve started building some websites for clients and I’d have to be careful about enabling HSTS there. I tend to think the preload list is something that should only be done when you are 110% sure everything is A1 perfect.

EDIT: Actually they had a whole bunch of advice on using HSTS with Cloudflare and it slightly unnerved me.

#11

Agreed for sure. Let’s Encrypt now allows for wildcards, but they need to be implemented differently.

Mainly you need to be sure that no subdomain will ever need to be HTTP only. Especially if public facing. It should be the default now, but you might never know. Removing the domain for the Preload list is doable, but a pain and will take a lot of time.

#12

Every site I’ve built in the last 5 years has been https only. Nowadays with GDPR I struggle to think of an instance where it would be legally feasible or sensible to not use https.

1 Like
#13

If only everyone was thinking like you. If only. :clap:

2 Likes
#14

Pure cowardice on my part!

#15

Actually I always ensure all assets, such as video and fonts etc are added locally to avoid potential issues. In the past I had some plugins accessing sources that were not https and it would break pages.

#16

Should I enable all options?

#17

Go for broke! (Ok, “broke” probably isn’t the best word choice). I set Max Age to one year. HSTS preload list needs that.

And be super-duper-triple sure you’re ok with subdomains being forced to https.

1 Like
#18

I’m cool on these domains, because they are all mine and I can’t see they’ll ever need sub domains anyway. Possibly, maybe on my web design site, but I’ll find a way to make that work if really needed. I can just as easily place contents like demo sites in sub folders without need a subdomain.

I’ve removed the HST header from the htaccess code, so I can flick the switch and set it at a year. Does that automatically submit to the preload list?

#19

No. You have to manually submit at https://hstspreload.org after you’ve enabled your settings here.

#20

OK that’s better and more reassuring. I’d rather test this first before anything is submitted. I’ll let you know in 2 minutes if the entire Internet has crashed.

1 Like