Not sure if this is a bug or intentional feature, but I’m having issues with HSTS being turned on even though HSTS was set to “Disabled”.
I had to enable it and set Max-Age: 0 (Disable) to turn it off. Only then did my http-only subdomains start functioning again.
Seems a bit silly that HSTS: Disabled actually defaults it to enabled.
Given that I have to accept a warning that tells me “If you have HSTS enabled and leave Cloudflare, you need to continue to support HTTPS through a new service provider otherwise your site will become inaccessible to visitors until you support HTTPS again.” … I’m going to assume this is a very concerning bug.