Creating a HSTS record to be used by a non-cloudflare site

We use a security checker called “security socrecard” that reccomends a we setup a HSTS record, as I understand it, this is a list of ip addesses allowed to call themselves sub-domains of us.

I know Cloudflare has technolgy to do this for us by our root webpage is hosted by a compnay under the control of our marketing department

How do you handle this, is there a script that I can put on a schedule that’ll list the explict (from A records) and implict (from CNAMEs) IP address that I can send them or is there a more clever way to do it?

On the Cloudflare blog there is an artical called “enforce-web-policy-with-hypertext-strict-transport-security-hsts” but its not very clear for someone in my situation

Not really, I am afraid. An IP address can’t “call itself” anything in the first place. HSTS rather is a response header that tell clients (typically browsers) to exclusively use HTTPS for connecting.

You can read more about that at HTTP Strict Transport Security - Wikipedia and you can enable it at, however you should really make sure that your site is working fine on HTTPS as you won’t be able to switch a browser back to HTTP until the defined HSTS period expired.

Also, make sure your encryption mode on Cloudflare is Full Strict.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.