Traffic Served over TLS - How Do I Read This?

Hello all,

Attached is the current dialog about traffic server over TLS for the last 24 hours. I am noticing alot of non secure traffic. How do I interpret this? There shouldn’t be any since I am setup for Full-Strict access. Does this mean I have a hole in my security posture?


Full Strict is the right mode, but it’s still not a guarantee that no HTTP requests can reach Cloudflare.

In this case, it will have been most likely either robots which accessed your site on HTTP or regular browsers which simply connected via HTTP as well.

In either case there should have been an HTTPS redirect (make sure Always Use HTTPS is enabled) and you can additionally enable HSTS, to ensure that regular visitors always use HTTPS to begin with.

Just one thing to keep in mind, if you enable HSTS and ever plan to move your site to HTTP, you’ll have issues as previous visitors will insist on HTTPS.

So no, if you are on Full Strict and have Always Use HTTPS enabled, then you do not have any security issue.

So if I disabled the max age for HSTS then even if the HTTP request was cached by a browser or bot it should not allow the connection correct? I do have Always Use HTTPS enabled.

HSTS won’t change something per se about HTTP, it will simply tell browsers to use HTTPS only. You can still receive HTTP requests.

But based on what you explained, your setup should be secure.

If you ever plan to stop using HTTPS you would leave a HSTS header in place with a max-age=0. Don’t just remove the header.

max-age=0 is a special “knock-out” value that will tell returning visitors to remove their cached HSTS configuration for your domain. Whatever your previous max-age HSTS setting was is the amount of time you need to ensure HTTPS is still available and returning the max-age=0 value. This could be a long time, so don’t use HSTS unless you are relatively sure it is permanent. The guidance is to increase max-age gradually.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.