HSTS and Strict SSL mode, who is more brutally strict?

ssl

#1

Now that I have turned on both HSTS and Flexible SSL, I wandered around the community and bumped into this

Here it is clearly stated that if SSL goes down HSTS will make the site down.

The problem is I’m relying on the SSL cloudflare provided. I have not installed the cloudflare SSL on my origin. Actually there is no SSL installed on my origin.

Currently I’m only turning on the two functions of SSL auto rewrites and always use SSL on my panel

Do I have to be worried? To be prepared for a rainy day do I have to switch to the FULL STRICT SSL Mode and turn off HSTS, or leave it as it is?

I absolutely love the cloudflare SSL by the way. I have no intention to turn it off under no circumstances


#2

If you have SSL set to any of flexible, full or full strict you’re relying on a Cloudflare SSL cert. I’m personally happy to apply HSTS and trust them to renew on time etc. After all it’s a cornerstone of their business. Only problem you’d have is if you went ‘grey cloud’ and didn’t have a cert on your server. You’d have to rush to get one online if you had an HSTS policy cached on any user browser.


#3

Full Strict SSL mode and HSTS are not really related directly.

Full (Strict) SSL controls the connection from Cloudflare to your origin server. Full requires that your server have HTTPS although the certificate may not be signed, may match another domain or similar. Full (Strict) goes a step further and tells Cloudflare to validate that the certificate is trusted by a public signing authority (or you use the Origin Certificate which Cloudflare will generate free).

This one you can test safely as you can change the setting in Cloudflare for an (almost) immediate result.

HSTS is more similar to Always use HTTPS which will Redirect all requests with scheme “http” to “https”. HSTS is an instruction to the browser that says “And remember this, change all HTTP requests to HTTPS for the next ‘x’”, where x is the length of time you set. This applies to the browser, so with Cloudflare in the picture this only influences the connection from the browser to Cloudflare.

However, if you were to turn off Cloudflare then this controls how browsers talk to your server, browsers will completely refuse to use a http:// connection and will replace it with the https:// version. This can be a problem if you don’t have a proper certificate on your origin as users will get a https certificate warning (which they cannot ignore/skip) or connection warning.

I wouldn’t turn on HSTS unless you really know what you are doing and are confident that you will continue using Cloudflare OR are confident that you know how to configure your origin server to use https if needed.


#4

No. Along the way there is almost no case where I need to resort to the grey cloud. Literally, over my dead body. Thanks for that insight though


#5

yeah I am more than confident that I will count on cloudflare for everything. Thanks I got it


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.