HSTS and new subdomains?

I always wanted to make use of this feature:
HTTP Strict Transport Security (HSTS)

Launched it recently. its working on my homepage.

Ive set dummy subdomain for test purposes. It had no ssl.

And subdomain stopped working when I added HSTS.

Note subdomain wasnt added to Cloudflare.

I added it now but it doesnt fix anything.

I get this error on test subdomain:

How can I make use of hsts in case of new subdomains? Should I add subdomain to Cloudflare first, and then create it? Or should I turn off hsts, then add subdomain to CF and create it as well, and then enable hsts?

If you want to make use of CF, the entire zone needs to be managed by Cloudflare. As far ad I understood, the sub worked well and after adding it to CF it stopped working? Where was the DNS Record set?

The error indicates that there is no DNS Record set for your sub domain.

1 Like

no, it stopped working after enabling hsts while subdomain had no HTTPS.

if I understand HSTS well, then I have to simply add subdomain to Cloudflare (and ssl) before entering it in browser? or otherwise it will cache hsts headers on a subdomain without ssl, which will block me from entering my subdomain

I am not pretty sure if the following is a webserver configuration:

Cloudflare supports the “includeSubDomains” parameter in HSTS headers. This parameter applies the HSTS policy from a parent domain (such as example.com) to subdomains (such as www.development.example.com or api.example.com). Caution is encouraged with this header, as if any subdomains do not work with HTTPS they will become inaccessible.

Also I think that HSTS will generally not work on domains with no active SSL.
Cache is only applied when a page was accessed once with SSL and active HSTS.

I for myself have HSTS disabled here.
I’ve checked my page with Qualys and, according to the report HSTS is still available and I’ve seen my configured max-age which is much higher than the recommended setting.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.