If I turn on the HSTS, can I turn it off later, without any consequences? Every 3 months I need to get an HTTPS SSL certificate and for this I need Cloudflare to make a direct connection to my site. Bypass the cloud (icon) in the settings so that I can upload the verification file to the root directory and then get SSL.
Can something hinder HSTS from this process?
If you’re talking about a Let’s Encrypt renewal, I’m 99% sure LE doesn’t care about HSTS. But if you’re doing it through a host’s weird renewal process, which is what this sounds like, I’ve included that 1% chance of failure.
When I receive a new certificate, I need to make a direct connection to the server with my (hosting) so that I can upload the file for verification. HSTS VIT can then be disabled as it was originally? How long will it take?
I recommend if you are using Let’s Encrypt with Cloudflare that you use the dns-01 method. This is very easy using clients like https://acme.sh, which have built in support for the CF API
Using dns-01 you can create certs for any hostname even if there is no public web server, and you can leave HSTS, and Always use HTTPS enabled all the time. Let’s Encrypt will look for a DNS record which the acme.sh client will have created, and the .well-known file is not needed at all.
Am I confused at all? If I disconnect from HSTS in Cloudflare on the penalty of tools, will it still work? acme.sh I don’t understand at all, I tried but nothing happened. I have one way out is to use the file in the root directory to create a certificate!
You don’t need to use HSTS, and perhaps shouldn’t. (Some people here will disagree, of course). If you have Always use HTTPS turned on, and your server is protected from connections not coming from Cloudflare, you don’t need to bother turning on HSTS, imo.
@help4 asked about “any consequences”. Once you implement HSTS, it will be at least a small hassle to remove it in order to config a new subdomain as the OP mentioned.
If we think about it, anyone who’s smart enough to play an MIM attack will surely have at their disposal that first visit where HSTS is not yet implemented. A “first visit” that can be made many times, as any hacker will have capabilities to keep on trying with a new virtual browser each time. Unless we are talking about preloading, which would make the small hassle a HUGE hassle.
We all (well, most of us, I believe) had bad experiences with SSL at one time or another. Free certs expiring without notice, mismatch notices coming apparently out of nowhere etc. Adding HSTS will not make it easier. Besides dealing with SSL issues per se, you’d be facing other consequences if the solution is not fast enough, such as a Google penalty for website being unavailable, and even worse, the visitor’s penalty for that same reason.
So my reasoning is this: if you have to ask about HSTS, its consequences etc, just don’t do it.
While it is frustrating that the auto-renewing certificate can fail renewal, there’s an expiration date on the certificate that you could periodically look at and/or use a service which will let you know if it expires soon. If it’s expiring within 7 days, feel free to contact support and they can expedite the next certificate order.
I use HSTS with includesubdomains and preload also. The major advantage is no request will be served in the HTTP, but always HTTPS for my domain. Second, there is a benefit of performance in the real browser.
HTTP to HTTPS redirect happens quickly at browser level. Where, without HSTS it goes to server.
Just Nothing! SSL is free, we can easily achieve using Cloudflare or Let’s Encrypt (FYI: It support HTTP verificaiton, no need to doubt!). Still, there shouldn’t be any excuse for SSL.
Okay, I see… What if you accidently land to HSTS page and unable to access in some case?
There is a way type “badidea” in your browser. Visit the page… now you can access. Enjoy!
I doubt Googlebot will ever type “badidea” on its browser… As for performance, most browsers cache redirects anyway. I wouldn’t trade a few ms in TTFB for the prospect of having to momentarily stay out of my site’s admin area on a bad day, with possible undesirable search engine effects.
I understand that now I need to get an SSL certificate before it is closed, so that I can safely provide verification files on the server? The second way to twist. I can make a TXT record, now Letsencrypt supports it for verification?