Selectively enable/disable HSTS on a subdomain basis

I’d like to enable HSTS for my website. All my major services/subdomains only use https, so enabling HSTS for these services would be no issue.

I still host a couple of old services that are served through Cloudflare (orange cloud). They have a flexible SSL setting, just because some old clients don’t use https… also the served content is trivial, so several years ago, we decided it’s alright to serve both https and http.

Now I wonder what would happen if I enable HSTS?
How would the Including Subdomains with HSTS setting influence this behavior? Will the subdomains that are served through Cloudflare still work via http?

This doesn’t mean you don’t have access to it via HTTPS nor the other way around, it simply change the way Cloudflare connects to your origin, which is completely separate from your HSTS settings. If you have HTTP only subdomains, that are only working under HTTP (Why not enable HTTPS?) even if user support HTTPS, then enable HSTS without the include subdomains otherwise do it including it with low expiration and test it.

Ah sorry if I used the wrong wording here :slight_smile:. I meant that some subdomains are accessible via http and https and should remain accessible via http.

HTTPS is enabled, and many clients use https, but there are still clients that use http and might not be upgraded. The endpoint is not only used by browsers but might be used in existing scripts and other implementations that might not follow redirects. The problem is that it’s a public endpoint, I don’t know who is using it.

Yes, I think this is part of the question. If I enable HSTS without include subdomains, will this only enable HSTS for the website that is served through Cloudflare or will it also enable HSTS for the website that is served through Cloudflare. Especially since the include subdomains is nothing Cloudflare specific, but part of the HSTS specification and could simply mean that when accessing also all subdomains of this domain are expected to use HSTS and does not describe special handling by Cloudflare.

If you have some subdomains accessible by non-HTTPS, do what I do, set HSTS at web server origin level and not Cloudflare level. That way you can do HSTS per hostname/subdomain where some sub domains get HSTS enabled with include subdomains, main can set HSTS without include subdomains etc.


I believe that HSTS applies only on HTTPS, so if you connect via HTTP even if sent it won’t be considered by the browser. That would force HTTPS clients to keep it and leave the ability to have HTTP for others. Note also that usually CLI tools don’t care about that header, only browsers do.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.