HSTS is enabled even though it's turned off?

Not sure if this is a bug or intentional feature, but I’m having issues with HSTS being turned on even though HSTS was set to “Disabled”.

I had to enable it and set Max-Age: 0 (Disable) to turn it off. Only then did my http-only subdomains start functioning again.

Seems a bit silly that HSTS: Disabled actually defaults it to enabled.

Given that I have to accept a warning that tells me “If you have HSTS enabled and leave Cloudflare, you need to continue to support HTTPS through a new service provider otherwise your site will become inaccessible to visitors until you support HTTPS again.” … I’m going to assume this is a very concerning bug.

I resolved it by doing this:

2022-02-07 04_55_21

I guess my point is HSTS really should not be enabled without warning.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.