Recommended HSTS options proposal

HSTS max-age header options in the Clouflare panel go from 0 to 12 months, with a recommended time of 6 months.

This was correct in the previous HSTS preload list requirements, but it got recently changed to a minimum of 1 year, with a recommendation of 2 years.

I think it makes sense to set the recommended time to 12 months and add the option of 2 years (the recommended time for the HSTS Preload list), or at least disable the Preload option when the max-age is set with less then 12 months, since the Preload list will reject the site when the user tries to add it.

2 Likes

Indeed, recommending 6 months when enabling the preload option does not make sense.

I can confirm that the HSTS preload list submission form at https://hstspreload.org/ does not work with a 6 months max-age and does work with a 1 year max-age.

1 Like

And while we’re on the topic, add a reasonable value for testing
purposes. Something in the 5 minute range, so that if a site fails
completely in some fashion there is a path backwards until the problem
is resolved.

2 Likes

Sorry for not addressing this sooner. At the time the page was created that was accurate, and I believe we (and our users) are grandfathered in at the older options, but I’ve submitted a request to have it updated to reflect current industry recommendations.

4 Likes

From https://hstspreload.org/ (Google’s submission form to be included in its HSTS preload list, from which Mozilla and Microsoft get hostnames for their own preload lists) -

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

The formal limit has been raised by Google and is being recognized as valid by the above listed browser vendors. I’d like to see Cloudflare implement the option of raising the limit within its dash to two years from one, giving users more flexibility & allowing for the implementation of the latest HSTS guidelines. Thank-you.

Merged to similar product request to keep discussion together and avoid splitting any votes:

3 Likes

While i am with you, I’d like to add, that Cloudflare respects existing HSTS settings.

image

@MarkMeyer So, theoretically, if one uses a HSTS header via Workers, it should work?

Sure.