Worried about enabling HSTS for 1 month

A site audit from snyk.io says I really should enable HSTS.

My site uses the free Cloudflare shared SSL certificate, with the SSL/TLS encryption set to Full (Strict), and Always Use HTTPS set to On. I also have a bit in my .htaccess to redirect all traffic to the www subdomain and https. I don’t use any other subdomains other than www.

There’s a hefty warning that enabling HSTS might make my site inaccessible, and the minimum max-age is 1 month. I cannot risk my website being inaccessible for 1 month (who can??)

Is there a way to test if it’ll work without risking 1 month of business??

Thanks!

1 Like

HSTS will essentially tell browsers to exclusively use HTTPS to connect to your site.

If your site loads fine on HTTPS and you do not plan to make any changes or switch back to HTTP, then you should be fine with HSTS.

But you do need to be aware that you might have connectivity issues should you switch to HTTP as browsers will insist on HTTPS, but considering you already have a pretty solid setup I’d venture to say you should be pretty safe. Again, assuming you do not plan to switch back to HTTP-only.

Thanks. I do not plan to switch back to HTTP at all, but “you should be fine” is still a bit alarming.

If anything goes wrong, those who visit the site while HSTS is ON won’t be able to see our site for 1 month. That’s terrifying. Is there a way to set it to 5 minutes for testing?

Hi,

If you run/control the origin server, you can set the HSTS header there instead of in the dashboard (so you can use any max age).

You could also use a Worker to set the HSTS header (whether you run the origin or if it’s something else like Cloudflare Pages)

You can also follow the instructions here HSTS Preload List Submission (the deployment recommendations) but DO NOT add the preload token (at least while you are testing it).

You can choose whether you want to apply it to all subdomains or not while you are testing it (this one is entirely up to you)

The instructions are good because it explains how to ramp it up in stages, rather than going to the top end and realising something broke.

Nobody wants to say “go for it”, and have you offline. The members of this Community don’t have full visibility of your setup.

In my view, if you have had Always Use HTTPS set for a long time, and don’t have any page rules set that undo that, then HSTS is safe. My default for newly registered domains is enable HSTS for the maximum duration and add them to the preload list, but it is difficult to recommend that to an existing production domain without seeing the complete setup.

If you have any :grey: webserver hostnames or have a split brain DNS, then you need to be careful.

Using a CSP Report Only policy with the block-all-mixed-content directive is a good way to collect some data if you are unsure.

1 Like

Not sure what you mean, but HSTS will force HTTPS and should your site not be available on HTTPS then you will certainly have an issue, but if you don’t plan to move back to HTTP, then you shouldn’t have a problem.

It’s really relatively simple. HSTS is supposed to enforce HTTPS. If you can guarantee that your site will be available on HTTPS you can enable it, otherwise stay away from it.

2 Likes

Also, before you enable HSTS, make sure any absolute links to external resources support being loaded over HTTPS (this is often an oversight)

As I mentioned earlier and based on your own description I’d assume it should be pretty safe to enable HSTS, but the point is you do need to be aware that your site will have to be available on HTTPS all the time.

It’s from that perspective that you should be fine but of course, if you suddenly switch back to HTTP you’ll have an issue and that’s what I have been referring to and what the underlying idea of HSTS is.

If you want to play it safe, do not enable HSTS.

Excellent tip, thanks!

Great tip! thanks

The only :grey: (Proxy status: DNS Only) records I have is a Type A, name “mail”. Our IMAP mail setup doesn’t work if I try to proxy that one. Would HSTS prevent our mail from connecting with that setup?

Thanks!

I mean, that’s not true, I have MX and TXT records that are also set to DNS Only

HSTS does not apply to email in the first place, so it would not influence IMAP.

It really comes down to what you plan to do with your site. Of course you can shorten the expiration period on your server-side, but then you render HSTS pointless as the whole idea is to guarantee that the site is available on HTTPS. Also, that would not be so much a Cloudflare related question at that point and rather off-topic for here. Strict-Transport-Security - HTTP | MDN will be your friend.

My two cents, and as I mentioned before, I believe you can safely enable it and there shouldn’t be any issues (HTTP links would be already an issue right now and are not HSTS related) but you seem to be rather hesitant and concerned by the HTTPS part and your site possibly breaking, which is why I would probably suggest to rather not enable it as you’ll really need to make sure HTTPS is working (in which case HSTS won’t be an issue) and if it isn’t your site will be inaccessible. And HSTS expirations of less than a month are pretty pointless and do not guarantee anything either.

Thanks! Great advice. I think I should be good to go. I’ll start with a smaller age value just for testing, but I do understand that the whole point is to have it end up being 2 years or so.

You can certainly do that and aforementioned link has the details on the necessary header values, but generally speaking there is little point in “just testing” it. HSTS will break your site - for all instructed clients - if the site is not fully available on HTTPS. And if it is anyhow, then you won’t notice much.

Bottom line really is, is your site fully available on HTTPS? If yes, and if you plan to keep it like that, HSTS will be fine. Otherwise you might “break” your site as people will try to access it via HTTPS but might not be able to.

But yeah, if you really just want to test it you could start with a value of 3600 (an hour), in which case it would potentially break your site only for that period, but again, the issue is not so much what happens immediately. The site might perfectly load and you might switch to a year then, but reconsider in two weeks - and that would be the problem then.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.