I think it makes sense to set the recommended time to 12 months and add the option of 2 years (the recommended time for the HSTS Preload list), or at least disable the Preload option when the max-age is set with less then 12 months, since the Preload list will reject the site when the user tries to add it.
Indeed, recommending 6 months when enabling the preload option does not make sense.
I can confirm that the HSTS preload list submission form at https://hstspreload.org/ does not work with a 6 months max-age and does work with a 1 year max-age.
And while we’re on the topic, add a reasonable value for testing
purposes. Something in the 5 minute range, so that if a site fails
completely in some fashion there is a path backwards until the problem
is resolved.
Sorry for not addressing this sooner. At the time the page was created that was accurate, and I believe we (and our users) are grandfathered in at the older options, but I’ve submitted a request to have it updated to reflect current industry recommendations.
From https://hstspreload.org/ (Google’s submission form to be included in its HSTS preload list, from which Mozilla and Microsoft get hostnames for their own preload lists) -
The formal limit has been raised by Google and is being recognized as valid by the above listed browser vendors. I’d like to see Cloudflare implement the option of raising the limit within its dash to two years from one, giving users more flexibility & allowing for the implementation of the latest HSTS guidelines. Thank-you.
