If I turn on the HSTS, can I turn it off later, without any consequences?


#1

Greetings Happy holidays!

If I turn on the HSTS, can I turn it off later, without any consequences? Every 3 months I need to get an HTTPS SSL certificate and for this I need CloudFlare to make a direct connection to my site. Bypass the cloud (icon) in the settings so that I can upload the verification file to the root directory and then get SSL.
Can something hinder HSTS from this process?


#2

If you’re talking about a Let’s Encrypt renewal, I’m 99% sure LE doesn’t care about HSTS. But if you’re doing it through a host’s weird renewal process, which is what this sounds like, I’ve included that 1% chance of failure.

You should ask your host about this.


#3

When I receive a new certificate, I need to make a direct connection to the server with my (hosting) so that I can upload the file for verification. HSTS VIT can then be disabled as it was originally? How long will it take?


#4

HSTS is just a response header. With a duration parameter. As soon as you disable it at Cloudflare, that header stops being sent.

However…browsers “remember” to use HTTPS for the duration set by the header. Again, you’ll have to contact your host to find out how the mechanism works and if it cares about HSTS.


#5

OK I understood


#6

HSTS has potential consequences.

If you continue to host the domain on Cloudflare and orange cloud the relevant hostnames, then you are generally OK.

HSTS does two things in modern browsers.

  1. Makes the browser only access your site over HTTPS, even if you deliberately ask for a HTTP url.
  2. Makes the browser require a valid certificate. Modern browsers do not allow you to bypass cert errors within the HSTS max-age lifetime.

Once you turn HSTS off, you need to ensure that you continue to have a valid certificate for all relevant hostnames for at least as long as the HSTS max-age.

This may apply to subDomains if you set that option in your HSTS header. This will be all hostnames if you set HSTS on the root domain, even if those subDomains are only using CF for DNS (grey cloud).

If you set HSTS preload, and the domain was added to the preload lists (by you or somebody else) then you will have to ask for it’s removal, and a very long time to wait.


#7

I recommend if you are using Let’s Encrypt with Cloudflare that you use the dns-01 method. This is very easy using clients like https://acme.sh, which have built in support for the CF API

Using dns-01 you can create certs for any hostname even if there is no public web server, and you can leave HSTS, and Always use HTTPS enabled all the time. Let’s Encrypt will look for a DNS record which the acme.sh client will have created, and the .well-known file is not needed at all.


#8

Am I confused at all? If I disconnect from HSTS in CloudFlare on the penalty of tools, will it still work? acme.sh I don’t understand at all, I tried but nothing happened. I have one way out is to use the file in the root directory to create a certificate!


#9

You don’t need to use HSTS, and perhaps shouldn’t. (Some people here will disagree, of course). If you have Always use HTTPS turned on, and your server is protected from connections not coming from Cloudflare, you don’t need to bother turning on HSTS, imo.


#10

Technically the advantage of HSTS is the protection against man-in-the-middle attacks.


#11

Indeed. Rewrite is great but HSTS is hardwired.


#12

Sure, I got it. No one wants a MIM attack.

@help4 asked about “any consequences”. Once you implement HSTS, it will be at least a small hassle to remove it in order to config a new subdomain as the OP mentioned.

If we think about it, anyone who’s smart enough to play an MIM attack will surely have at their disposal that first visit where HSTS is not yet implemented. A “first visit” that can be made many times, as any hacker will have capabilities to keep on trying with a new virtual browser each time. Unless we are talking about preloading, which would make the small hassle a HUGE hassle.

We all (well, most of us, I believe) had bad experiences with SSL at one time or another. Free certs expiring without notice, mismatch notices coming apparently out of nowhere etc. Adding HSTS will not make it easier. Besides dealing with SSL issues per se, you’d be facing other consequences if the solution is not fast enough, such as a Google penalty for website being unavailable, and even worse, the visitor’s penalty for that same reason.

So my reasoning is this: if you have to ask about HSTS, its consequences etc, just don’t do it.


#13

While it is frustrating that the auto-renewing certificate can fail renewal, there’s an expiration date on the certificate that you could periodically look at and/or use a service which will let you know if it expires soon. If it’s expiring within 7 days, feel free to contact support and they can expedite the next certificate order.


#14

Absolutely, my point simply was that HSTS does more than just redirect. It is a different level of security.

Partially agree, though that very often applies IMHO. If you have to ask about server administration, just dont do it and yet the Internet is full of server administrators :wink:


#15

I use HSTS with includesubdomains and preload also. The major advantage is no request will be served in the HTTP, but always HTTPS for my domain. Second, there is a benefit of performance in the real browser.

image

HTTP to HTTPS redirect happens quickly at browser level. Where, without HSTS it goes to server.

consequences?

Just Nothing! SSL is free, we can easily achieve using Cloudflare or Let’s Encrypt (FYI: It support HTTP verificaiton, no need to doubt!). Still, there shouldn’t be any excuse for SSL.

Okay, I see… What if you accidently land to HSTS page and unable to access in some case?

There is a way type “badidea” :stuck_out_tongue: in your browser. Visit the page… now you can access. Enjoy!


#16

I doubt Googlebot will ever type “badidea” on its browser… As for performance, most browsers cache redirects anyway. I wouldn’t trade a few ms in TTFB for the prospect of having to momentarily stay out of my site’s admin area on a bad day, with possible undesirable search engine effects.


#17

I understand that now I need to get an SSL certificate before it is closed, so that I can safely provide verification files on the server? The second way to twist. I can make a TXT record, now Letsencrypt supports it for verification?


closed #18

This topic was automatically closed after 30 days. New replies are no longer allowed.