HSTS - Max Age Header

Hello, I want to enable HSTS for my domain.
What is the meaning of:
Enable HSTS - On
Max Age Header - 0 (disabled)

The problem is that we have a couple of subdomains which leads to OUTSIDE systems which we do not control and they may not have httpS. And we want to test what will happen if we enable HSTS.

HSTS has an “Include Subdomain” option. You will have to make sure to NOT enable that feature.

Max Age Header is how long a browser will remember to use HTTPS for that site. I suggest you start at the lowest setting in case something goes wrong. Then slowly increase it as your confidence builds that it’s not causing any problems.

1 Like

Hello, I know about Include Subdomain” but the main reason to want to enable HSTS is one of our subdomains.
How can I choose less than 1 month, this is the minimum on the drop-down menu?

If I enable HSTS, include subdomain, and Max-Age Header to 0 is this means that if I disable HSTS later there will be no need to wait for Max-Age Header to expire since it was 0?

Best regards

Then this won’t work. At Cloudflare it’s either HSTS for the main domain, or HSTS for the main domain and ALL subdomains.

You’d have to include that header at the subdomain itself on your server.

To clarify this, using the Cloudflare configuration, it is all :orange: hostnames within the domain. The includeSubdomains option is in addition to that, and would cover any matching :grey: names also.

In general, enabling HSTS in Cloudflare is relatively safe, but if you have any hostnames within the domain without SSL available, then the includeSubdomains and Preload directives should not be enabled.

Setting max-age=0 tells browsers to forget previous HSTS settings that they have learned for that domain. It is a special value to disable HSTS for domains where it was previously enabled, and is really a break glass value.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.