Recommended HSTS options proposal


#1

HSTS max-age header options in the Clouflare panel go from 0 to 12 months, with a recommended time of 6 months.

This was correct in the previous HSTS preload list requirements, but it got recently changed to a minimum of 1 year, with a recommendation of 2 years.

I think it makes sense to set the recommended time to 12 months and add the option of 2 years (the recommended time for the HSTS Preload list), or at least disable the Preload option when the max-age is set with less then 12 months, since the Preload list will reject the site when the user tries to add it.


#2

Indeed, recommending 6 months when enabling the preload option does not make sense.

I can confirm that the HSTS preload list submission form at https://hstspreload.org/ does not work with a 6 months max-age and does work with a 1 year max-age.


#3

And while we’re on the topic, add a reasonable value for testing
purposes. Something in the 5 minute range, so that if a site fails
completely in some fashion there is a path backwards until the problem
is resolved.


#4

Sorry for not addressing this sooner. At the time the page was created that was accurate, and I believe we (and our users) are grandfathered in at the older options, but I’ve submitted a request to have it updated to reflect current industry recommendations.