Remove HSTS header, redirect to WWW, and make HTTPS work

I turned off HSTS but when I look at my headers I still get this:
HTTP/1.1 200 OK
Date: Fri, 21 Dec 2018 16:23:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dca2eb6b9276566909cde14d008116b711545409423; expires=Sat, 21-Dec-19 16:23:43 GMT; path=/;; HttpOnly
X-Dns-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Sun, 09 Dec 2018 17:07:51 GMT
Via: 1.1 vegur
Server: Cloudflare
CF-RAY: 48cbb1e342d7559a-ORD

I wonder why it’s there if I’ve turned it off. But I really wouldn’t mind if HTTPS was working. I set it up with a heroku server and no matter what I do it says something like HTTPS is not supported for this setting.

Before getting crazy with HTTPS however, I want to know how I can get my heroku app to always redirect to www. Here’s what my current setting looks like:

What am I doing wrong? I left all these 13 days ago hoping whatever cache would be busted by now

It could be set at your origin server. Try this with your server’s IP address (all in one line):

curl -svo /dev/null --resolve

@sdayman Is that curl command supposed to clear my dns cache to remove the HSTS header?

It’s to check your origin server for HSTS headers.

Here’s what I got from that:

* Added to DNS cache
* Hostname was found in DNS cache
*   Trying

You didn’t replace with the IP of your server, so you’re not getting anywhere.

You just made the Chinese Unicom sad :smile: :wink:

I got the same result with my server IP address. I expected to get something better as feedback.

If you get the exact same result (stuck at “TCP_NODELAY” set) that would mean that you’re un-able to connect to your server at all… if the server is up, that would mean that you’re firewalled out?

Perhaps the server is behind some NAT and you’re attempting within the NAT? If that’s what you do, then you need to use the internal IP of the server, not the public facing one…

I’d forgo the HSTS header issue for a bit. Can I get some tips on how to get redirection to www working? Or how to make the enforced HTTPS work?

Right now, both www and the naked domain work over HTTP.

If I try to reach them with HTTPS, it redirects HTTP…and still works.

To get the naked domain redirected to the www, add a page rule:
Match:* and add a Setting for Forwarding URL (Code 301) to$1

Note that I redirect to HTTP. If you switch over to HTTPS, then change that forwarding url to https.

Thank you @sdayman . Now to tackle my HTTPS problem, I turned it on again as Full Strict. Visiting this URL , I get a 525 Error that the SSL configuration used is not compatible with Cloudflare. What can be done to fix that? What I noticed however, is that the HTTP version uses HTTP 1.1 meanwhile the HTTPS version used HTTP v2

I’d have to see the TLS certificate on the origin server (does it even have one?) to see what the problem is. It sounds like Cloudflare doesn’t like whatever it is. Have you tried using the Full (not strict) setting?

There’s no cert from the origin server. I just switched to Flexible because it works. Full gives the same error. I’d suppose Flexible means it should proceed whether or not there’s TLS cert from origin server. I’m using heroku and I don’t think it offers certs for free. I’ll have to purchase it I guess

Can I just keep it at flexible and turn on Always use HTTPS?

Without a certificate on your server you’ll have to use Flexible…but it would sure be nice if you were able to install a cert on the server.

Stick with Flexible, and turn on Always Use HTTPS…and Automatic HTTPS Rewrites.

Thank you so much for all your help!!


You can use Full mode (or even Full(strict) mode last I checked) with Heroku on Cloudflare w/ any plan. Here’s what you need to do:
• Point CNAME [orange-cloud]
• Go to Crypto --> Origin Certificates --> Create Certificate (keep the default settings). These are free
Keep the module with the Public and Private Key open.
• Go to your Heroku app --> Settings --> Configure SSL —> Paste Contents:

frank-io%20%C2%B7%20Settings%20%7C%20Heroku%202018-12-24%2000-08-00 frank-io%20%C2%B7%20Settings%20%7C%20Heroku%202018-12-24%2000-08-19
• Finally, go into Cloudflare Workers (perhaps you don’t need to do this anymore, I’m not sure) and add this snippet:
addEventListener(‘fetch’, event => event.respondWith(handle(event.request)))

async function handle(request) {
  let url = new URL(request.url)
  url.hostname = ''
  return fetch(url.toString(), request)

… and set the route to*
• Turn on Always Use HTTPS

Voila! Full mode means that the Origin Server needs to have an SSL certificate served. That certificate can be self-signed, from Let’s Encrypt or (for optimal performance and security directly from Cloudflare)!


@franklin this is really useful and helpful information but I can’t configure SSL yet on Heroku because I’m not using a paid dyno. I’m still on the free dyno because my app is at alpha and I’m not willing to put money into it yet. I believe your answer will remain valid for me to reference when I do make an upgrade on heroku. Then I’ll try to change from Flexible to Full HTTPS

1 Like



1 Like