HSTS and HTTPS Issues



I had both https and HSTS turned on which was working fine but suddenly the site was inaccessible and I have now decided to turn HSTS off. I have changed the HSTS max-age to 0 (https is still on) but the site is still inaccessible.
What is the proper way to go about turning it off and getting the site back?

HSTS and Strict SSL mode, who is more brutally strict?

I tried accessing the site from a browser that had not previously accessed the site and it now doesn’t use https even though https is enabled in Cloudflare. :confused:


HSTS is s preemptive measure that tells browsers to always use HTTPS when visiting your site. The max-age tells browsers how long they should remember to do that. If max-age was set to a month and you visit the site. Your browser won’t let you use HTTP for a month unless you clear your browser’s settings (Cache, perhaps?)

HSTS is risky if your HTTPS has a chance of failing. There’s no way to tell your visitors you’ve changed your mind. They’re forced to HTTPS until that max-age expires.

So…you need to get HTTPS working, which is a good idea in any case.

In my Crypto settings, I have just about everything turned on: SSL Full (Strict), Always Use HTTPS, HSTS 12 Months, Opportunistic Encryption, and Automatic HTTPS Rewrites.

You can skip HSTS for now, but the rest will ensure your visitors use HTTPS for your site.

closed #4

This topic was automatically closed after 14 days. New replies are no longer allowed.