Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

HTTP Strict Transport Security (HSTS)

HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.

HSTS adds an HTTP header that directs compliant web browsers to:

  • Transform HTTP links to HTTPS links
  • Prevent users from bypassing SSL browser warnings

Before enabling HSTS, review the requirements.

​​ Availability

FreeProBusinessEnterprise

Availability

YesYesYesYes

​​ Requirements

In order for HSTS to work as expected, you need to:

  • Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
  • Keep HTTPS enabled so visitors can access your site

Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:

  • Changing your DNS records from Proxied to DNS only
  • Pausing Cloudflare on your site
  • Pointing your nameservers away from Cloudflare
  • Redirecting HTTPS to HTTP
  • Disabling SSL (invalid or expired certificates or certificates with mismatched hostnames)

​​ Enable HSTS

To enable HSTS using the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For HTTP Strict Transport Security (HSTS), select Enable HSTS.
  5. Read the dialog and select I understand.
  6. Select Next.
  7. Configure the HSTS settings.
  8. Select Save.
To enable HSTS with the API, send a PATCH request with the value object that includes your HSTS settings.

​​ Disable HSTS

To disable HSTS on your website:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For HTTP Strict Transport Security (HSTS), select Enable HSTS.
  5. Set the Max Age Header to 0 (Disable).
  6. If you previously enabled the No-Sniff header and want to remove it, set it to Off.
  7. Select Save.

​​ Configuration settings

NameRequiredDescriptionOptions
Enable HSTS (Strict-Transport-Security)YesServes HSTS headers to browsers for all HTTPS requests. HTTP (non-secure) requests will not contain the header.Off / On
Max Age Header (max-age)YesSpecifies duration for a browser HSTS policy and requires HTTPS on your website.Disable, or a range from 1 to 12 months
Apply HSTS policy to subdomains (includeSubDomains)NoApplies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS.Off / On
PreloadNoPermits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request from HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible.Off / On
No-Sniff HeaderNoSends the X-Content-Type-Options: nosniff header to prevent Internet Explorer and Chrome from automatically detecting a content type other than those explicitly specified by the Content-Type header.Off / On