I want the HSTS headers to go through like they did when I ran my own apache2 server. I worked in web browser security for year (not anymore) so it’s just sort of near and dear to my heart and, frankly, it should be reliable for cloudflare users to get best practices like HSTS headers.
Checking the headers confirms there’s no HSTS headers being sent.
I see the problem - it was an issue with how the UX got rendered in firefox. For some reason it auto scrolled down so I never saw the HSTS button at the top, and I thought the other buttons enabled it. Wow, easy miss! Thank you
You mean, why the HSTS option doesn’t force TLS v.1.3 be default?
I am not aware if that’s interconnected within Cloudflare code, however possibly we could expect this in some soon future.
Nevertheless, the Minimum TLS version option is there separately I believe because quite a lot requests still go with 1.2 of nowadays Web browsers, despite TLS v1.3 is supported, however we can expect this to be “normal” as 1.3 in next coming years, my best guess.
Using TLS v.1.3 only would block some portion of users trying to access your Website.
It’s good to keep it as Minimum TLS v1.2 for now on.
No I have it enabled it the UX to be TLS V1.3 only.
TLSv1.3 gets rid of a lot of weak cipher suites. Now does it matter for a personal static website that there are some theoretically weak cipher suites being used? No, but it’s weird the option doesn’t do anything, right? A bug?
Qualys SSL Labs would report them, yes.
It could be done via an API to modify ciphers settings (allowlist):
Helpful article for cipher suites:
However, I am afraid this would require you to have an Advanced Certificate Manager subscription purchased for $5/month for your zone (which would also allow you to have e.g sub.sub.domain.com as an deep-level sub-domains covered with Cloudflare’s Universal SSL):