Should I enable HSTS Preload even if Always Use HTTPS is already on?

Should I enable “HSTS Preload” even if “Always Use HTTPS” is already on? Shouldn’t “Always Use HTTPS” already protect all requests, including the first one?

By enabling HSTS browsers should contact your site on HTTPS to begin with, avoiding the possibility of a third party hijacking a possible first HTTP-only request (which would then be redirected).

So, if you are absolute certain that you dont need your site to run on HTTP in the foreseeable future, you can enable HSTS. That is because, once on HSTS, it will take the record to expire for browser to allow HTTP again and that can take some time.

1 Like

Thank you @sandro for your prompt reply. Yes, I’m sure that I don’t need HTTP, I have both “Always Use HTTPS” and “HSTS” enabled. Sorry, maybe I don’t completely understand how HSTS work. I’m trying to comprehend if it is useful to enable the “preload” of the HSTS even if “Always Use HTTPS” is on. The “preload” should avoid the possibility of a third party hijacking on first request. “Always Use HTTPS” forces all traffic to be protected on HTTPS, so shoudn’t it already include the first request? Or better, is it useful to enable the “preload” even if “Always Use HTTPS” is already on?

If you select “preload” your site should end up at https://hstspreload.org/ which will essentially tell browsers to not even try HTTP.

“Always use HTTPS” is just a basic HTTPS redirect for HTTP requests. If you can safely ignore HTTP, you should check “preload”.

1 Like

Thanks, now I’ve got it. I didn’t notice it before that “Always use HTTPS” is essentially a redirect. Anyway, since my web listener and firewall allow only traffic from HTTPS I think I’m already safe even having preload off. This should be enough.

Not necessarily. What you are referring to is the connection between Cloudflare and your origin. Preload refers to the first leg of the connection however, between the user and the proxies.

Even if you dont support HTTP, if you dont have preload enabled, a browser might send an HTTP request which could be in theory then intercepted.

1 Like

Right, you have been completely exhaustive. More safety, less problems. I will proceed by enable the preload and registering my site on the hstspreload list. Thank you so much.