Disable HSTS where I dont want to wait the max age

Dear respected support,

Actually I had HSTS enabled and max age was set to 6 months.
I disabled always use https so got issue with many members where cant access the site anymore ( I have all redirect rules from http to https)
Then I disabled HSTS and put SSL to flexible so site went totally Offline.
My question, If I keep HSTS ON and put the max age to Zero, how much time I must wait so that I can totally disable it?
In other words, I dont want to wait these 6 months because I want to disable always use https.

Kindly advice.

You will have to wait for that long HSTS instructs browsers to connect exclusively via HTTPS for the given period. Only after that directive has expired these browser will consider connecting via HTTP again.

Thanks for reply…

But I will keep using https as I mentioned because I have all redirect rules from http to https are settled.
I only want to disable (always use https in crypto)

So those browsers will not update when we set max age to Zero like 7 days where all members should visit page at least once and then I disable HSTS?

Best regards,

So your question is whether you can shorten the period with an override of “max-age”?

Yes exactly shorten the wait time like 1 or 2 weeks then disable.

Best regards.

That should be possible

Thanks for being fast in replying and taking care of my issue.

Kindly recommend Zero time for max age before I totally disable HSTS
1 week sounds good to allow members browser to get updated with new settings?

Best regards.

If you want to disable it there’d be little point in keeping it. Set it to zero and remove it after six months altogether.

The time is factor,

After 10 months of changing my website from http to https and lost all my ranking in google where I did all what they want and not get back my position, I’m a bit sure that the problem is from HSTS because must Disable always use HTTPS so google will figure out that both sites are same (http and https)… Maybe my point is wrong but after 10 months, just yesterday I disabled always use HTTPS then in short I found some pages of my site in google came up to very top at 1st page where they were in 8th page.
Please note that, my ranking and position in google console with http still doing perfect without any clicks and https worse with all clicks I get out to my website.

Kindly advice.

Assuming your HTTPS setup is proper (on Cloudflare and on your server, both having a valid certificate) it should not affect any search engine ranking at all. If at all, it should improve it.

Instead of disabling HTTPS I’d rather check what the problem might be and fix that. HTTPS might not be required for all types of sites, but it still is a good idea :slight_smile:

1 Like

Thanks for your reply…

Kindly check and let me know if there is something mis-configured in crypto and in page rules.
Your kind support is highly appreciated.

Best regards.

Whats your domain, whats your SSL mode on Cloudflare, and do you have a certificate on your server?

My SSL in FULL
Must have certificate in server ( if a must I would confirm with server support)

Best regards.

Do you mean you have a certificate or you are not sure? If the latter, clarify it with your host and make sure you have one configured.

I’m not sure but in CF its showing that I have valid Certificate.

I mean by a must, if this info is important for you so I will confirm with server support and get back to you.

Best regards.

Thats the certificate on Cloudflare’s side, you need one on your server too.

1 Like

"Dear Webmaster MHH AUTO,

Hello,

there are no other certificates installed, only Cloudflare’s native SSL certificate.

Best regards"

Kindly advice.

OK we added Certificate to server side but kindly can u explain why you said both on CF and server side must have SSL certificate knowing that google and members cant see website behind CF? as I know, certificate on server we need if we want to make it full strict mode between CF and server.

Still waiting your kind help and support on my issue.

Best regards.

The point is the data is transmitted from Cloudflare to your server and if you dont have a certificate this renders HTTPS useless and the site will be as insecure as it was before you added it to Cloudflare.

Thanks for reply…

Did u have a look on rules and crypto page?

Best regards.