I’ve been working with a few clients who are using Cloudflare and working toward a full HTTPS solution, eventually including HSTS.
Unfortunately while the HSTS options offered by Cloudflare are great for production use, deploying HSTS with Cloudflare’s shortest offered max-age (1 month) is incredibly dangerous as there is no going back. The setup UI obviously does warm of this, but warnings in advance don’t help you resolve problems after the fact, therefore there should be a 5 minute option which allows one to test whether there are any negative impacts of deploying HSTS without committing.
Obviously 5 minutes is not useful for production as it defeats the point of HSTS, but from a testing perspective it is good enough to expose issues while limiting the potential outage from any misconfiguration.
In this case, their frontend was fully HTTPS ready, but the logged in portal that their users use had one subdomain with a self-signed certificate and their onboarding process including setting up an exception for this subdomain. Everything was great until HSTS was switch to include subdomains, at which point the exception failed and none of their agents were able to perform any tasks at all until it was resolved.