HSTS Max Age Changing

Hello, I just opened the HSTS setting from the CloudFlare panel. However, I chose the max-age value as 6 months. But according to the https://hstspreload.org/ site, the max - age should be 12 months. That’s why I updated the max - age value to 12 months from the HSTS settings. Will this cause any problems? Does it get stuck on caching or does it fix it instantly?

I’m pretty sure that it works the same way as the opposite direction: A browser will “cache” that HSTS status for X number of months and won’t check again until that time is up. So if you’ve set it for 6 months, browsers who visited your site won’t check again for 6 months, and then will know it’s HSTS for another 12 months.

2 Likes

Browsers will update the timer every time they see the HSTS header. This is how you can use max-age=0 if you plan to disable HSTS, any regular visitors will see the knockout value, and disable HSTS.

For the purposes of Preload, caching is not relevant. HSTS check your site when you submit, and previous values don’t matter. They say they will remove if you later become non-compliant, but I don’t know if that happens. Preload should be considered a permanent change, and approached with caution.

Ideally, Cloudflare should set the max-age to 2 years if you select preload, in line with the current recommendation.

That’s interesting. So someone who set it to 12 months and phase out by dropping it down to 1 before shutting it off?

I thought 6 months was the “magic number”, but Cloudflare’s max is 12. Or…was 12 the magic number and Cloudflare used to let you set it to 24? Whatever it was, I always set it to max, which for now is 12 months.

Perhaps it’s because 12 months is the minimum requirement for preload submission, and Cloudflare just decided to provide 12 months as the maximum value.

3 Likes

I had a ticket some years ago about this. The HSTS Preload recommendation was 12 months, but they allowed less. Now they recommend 24 months, but allow 12. Cloudflare have always had a max of 12, and a recommendation of 6. I think it should align with the HSTS recommendation, but have a lock that if you do set preload, it goes to 24 months. Right now, you can set preload with 6 months or less, which has no meaning.

You need to drop to zero. Otherwise it is still being pushed out by a month for regular visitors, and being unavailable over HTTPS is fatal for returning visitors.

Doesn’t 0 mean no header? Dashboard says 0 is “Disable”, so I figured it wouldn’t send a header and…a browser won’t update if it doesn’t see the header?

Have not tested the dashboard, but in the specification there is a difference between max-age=0 and no header.

https://datatracker.ietf.org/doc/html/rfc6797#section-6.1.1

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.