How to exclude some URLs from 'Always Use HTTPS' (HSTS enabled)

I need to exclude the following URL from the use of ‘Always Use HTTPS’
http://example.com/game.php?id=xxx

This is:
http://example.com/whatever will be redirected to https://example.com/whatever

but
http://example.com/game.php?id=xxx should go to the origin server with HTTP and not HTTPS

Some years ago, I enabled HSTS in the ‘SSL/TLS Edge Certificates’ section and registered my site at https://hstspreload.org/.

Is it possible? Is as easy as creating a new Page Rule like the following?

The problem you will have is that any browser that has already reached the site will use HTTPS for however long you set HSTS for, even if you disable HTTPS at Cloudflare. That is the point of HSTS after all. You need to have HTTPS allowed for that link or connections will fail with an error in the user’s browser for anyone who has already visited.

To disable HTTPS for a particular subdomain or link, it is best to turn off “Always use HTTPS” and then set rules to redirect to HTTPS for everything else.

That will disable HTTPS at the edge and for connections to your origin, but it won’t stop the HTTPS redirects so you will also be in the position of having a non-working link.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.