HSTS options inappropriate for testing

ssl

#1

I’ve been working with a few clients who are using Cloudflare and working toward a full HTTPS solution, eventually including HSTS.

Unfortunately while the HSTS options offered by Cloudflare are great for production use, deploying HSTS with Cloudflare’s shortest offered max-age (1 month) is incredibly dangerous as there is no going back. The setup UI obviously does warm of this, but warnings in advance don’t help you resolve problems after the fact, therefore there should be a 5 minute option which allows one to test whether there are any negative impacts of deploying HSTS without committing.

Obviously 5 minutes is not useful for production as it defeats the point of HSTS, but from a testing perspective it is good enough to expose issues while limiting the potential outage from any misconfiguration.

In this case, their frontend was fully HTTPS ready, but the logged in portal that their users use had one subdomain with a self-signed certificate and their onboarding process including setting up an exception for this subdomain. Everything was great until HSTS was switch to include subdomains, at which point the exception failed and none of their agents were able to perform any tasks at all until it was resolved.


#2

Thanks @thedaveCA for the feedback. I have filed an internal feature request and linked to your post here.


#3

Appreciated!


#4

It can be set via the API to shorter values:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/b482044166293fcb4049c211b53d0eba/settings/security_header" \
     -H "X-Auth-Email: account_email" \
     -H "X-Auth-Key: api_key" \
     -H "Content-Type: application/json" \
      --data '{"value":{"strict_transport_security":{"enabled":true,"max_age":300,"include_subdomains":true,"nosniff":true}}}'

#5

This topic was automatically closed after 14 days. New replies are no longer allowed.