HTTPS Content Available via HTTP and HSTS is not set, even tho HSTS is set in Cloudflare

Answer these questions to help the Community help you with Security questions.

What is the domain name? https://web.flike.app/cdn-cgi/l/email-protection

Have you searched for an answer? yes

Please share your search results url:
https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/
https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/

When you tested your domain, what were the results?
HSTS not found and HTTPS available via HTTP

Describe the issue you are having:
HSTS should be employed on the whole site on not just party

What steps have you taken to resolve the issue?

  1. Seems like a Cloudflare issue where I cannot do anything against it

Yes HSTS is set since more than 9 months and it works perfectly on all websites except those special once by cloudflare (e.g /cdn/l/email-protection) so all those cloudflare website fail the security review. If one checks the headers of those one can see it is not set. I dont know why though

How to Resolve:
https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/#exclude-from-security-scanners

Exclude from security scanners

Some scanners may display an error because certain /cdn-cgi/ endpoints do not have an HSTS
applied to it or for similar reasons. Because the endpoint is managed by Cloudflare, you can ignore the error and do not need to worry about it.

To prevent scanner errors, omit the /cdn-cgi/ endpoint from your security scans.

1 Like

How can be done it to avoid Sucuri Hardening Improvements from it’s free scanner sitecheck.sucuri.net?