Will I lose "www." when enabling HSTS?

user4443 · November 20, 2019, 3:10pm

Hi all.

My website automatically redirects all requests to HTTPS. It also opens everything with www. (https://www.mydomain.com instead of https://mydomain.com).

Now I would like to enable HSTS via Cloudflare, but I’m not sure if that will kill my www., since technically it’s a subdomain of course. I don’t have any other subdomain, by the way.

My current Cloudflare settings:

I have an DNS entry “A” also for www (orange symbol)
My SSL/TLS encryption mode is Full
I use the Cloudflare Universal SSL certificate
I enabled the setting “Always Use HTTPS”
I have a page rule that forces “Always use HTTPS” for the entry http://*mydomain.com/*

So my question is:

After enabling HSTS will my site still be accessible via https://www.mydomain.com or only via https://mydomain.com?

sdayman · November 20, 2019, 2:13pm

HSTS does not disable the www (or any other) subdomain for your website. So if you enable HSTS and include subdomains, it will force www subdomain connections to use HSTS.

user4443 · November 20, 2019, 3:09pm

Thanks and sorry for that “dumb” question. I read that without the correct setting a domain could not be accessible under the www. “subdomain” after enabling HSTS.

The following message at https://hstspreload.org also made me feel uncomfortable.

grafik

So I’ll have to ask myself (and you :-)): Do I have a valid HTTPS certificate for my “WWW”-Subdomain…?

M4rt1n · November 20, 2019, 11:39pm

The point is this:

If you enable HSTS (and you enable it for like 1 month) your Domain (including all your Subdomains) once you called them and your Browser cached the HSTS Setting will not be accessable via HTTP (but just via HTTPS) for the amount of time you set it up (1 month in this example)

If you now encounter any SSL Errors your site could be inaccessable via HTTP & HTTPS (dues to SSL Errors) so your site it not accessable. Thats what this notice is warning you about.

Little trick if this happens:

clear all Browser and DNS related cache on your machine & router.
revert the setting in your CF Dashboard
Access your site/server and SOLVE the problem
then reactivate HSTS again and have fun

BTW this NEVER happend to me with CF!!! So its not just save to use but also makes accessing your site more safe as you cant call unencrypted files nor establish any unencrypted connection.

If you do have a valid SSL Cert or not I cant answer you as I do not know your Website nor have I validated it, but CF gives you valid SSL Certs so this should not be a problem.

user4443 · November 21, 2019, 7:29am

Thanks to both of you!

Very helpful.

maxh · November 22, 2019, 9:42am

If you’re currently using https://www.yoursite, then you must have a valid certificate for it. Enabling HSTS just means a client doesn’t need to try to connect over HTTP to be redirected to HTTPS; it doesn’t change how HTTPS works once it’s in use.

The concern with subdomains needing a certificate is things that don’t use HTTPS (like old-forgotten-server.yourdomain or hosted-service.yourdomain) no longer working. Probably the most common hosted service problem is Google Apps: if you have redirects set up on your domain, they don’t support HTTPS. (You can work around it, but it’s still annoying.)

In Chrome, you can use chrome://net-internals/#hsts to add your domain to your local STS list for testing. (You can also add a site to SiteSecurityServiceState.txt in Firefox, but it’s more complicated.