Enable HSTS behind HTTP host

I have a situation currently where i need to enable HSTS from Cloudflare.

Currently the setup is as the following:
Cloudflare CDN passing the traffic to on-premise Load Balancer, the Load Balancer virtual server is running on port 80 (HTTP), which is a non-HTTPS protocol.

My question here, if I enable HSTS from Cloudflare-level, forcing connections to be HTTTPs from client side, will that result to an error since the on-premise host is running on port 80?

Appreciate any inputs to the above situation.

Firstly, you really should encrypt traffic between Cloudflare and your origin - to do otherwise is a major security issue. Also, you’re giving visitors a false sense of security when you encrypt traffic between the browser and Cloudflare but not between Cloudflare and your origin.

HSTS is “enabled” using HTTP response headers and, optionally, by getting on the HSTS Preload List - it only applies to browsers so there shouldn’t be any issues.

Precisely what @albert said. HSTS requires HTTPS, so you’ll need to make sure your origin is working on HTTPS. You might need to implement a local HTTPS reverse proxy if you can’t implement HTTPS natively.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.