Cloudflare Docs
Visit SSL on GitHub
Set theme to dark (⇧+D)

HTTP Strict Transport Security (HSTS)

HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.

HSTS adds an HTTP header that directs compliant web browsers to:

  • Transform HTTP links to HTTPS links
  • Prevent users from bypassing SSL browser warnings

Before enabling HSTS, review the requirements .


In order for HSTS to work as expected, you need to:

  • Have enabled HTTPS before HSTS so browsers can accept your HSTS settings
  • Keep HTTPS enabled so visitors can access your site

Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site:

Enable HSTS

To enable HSTS for your website:

  1. Log in to the Cloudflare dashboard and select your account.

  2. Select your website.

  3. Go to SSL/TLS > Edge Certificates.

  4. For HTTP Strict Transport Security (HSTS), click Enable HSTS.

  5. Read the dialog and click I understand.

  6. Click Next.

  7. Configure the HSTS settings .

  8. Click Save.

Disable HSTS

To disable HSTS on your website:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your website.
  3. Go to SSL/TLS > Edge Certificates.
  4. For HTTP Strict Transport Security (HSTS), click Enable HSTS.
  5. Set the Max Age Header to 0 (Disable).
  6. If you previously enabled the No-Sniff header and want to remove it, set it to Off.
  7. Click Save.

Configuration settings

Name Required Description Options
Enable HSTS (Strict-Transport-Security) Yes Serves HSTS headers to browsers for all HTTPS requests. Off / On
Max Age Header (max-age) Yes Specifies duration for a browser HSTS policy and requires HTTPS on your website. Disable, or a range from 1 to 12 months
Apply HSTS policy to subdomains (includeSubDomains) No Applies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS. Off / On
Preload No Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request form HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible. Off / On
No-Sniff Header No Sends the X-Content-Type-Options: nosniff header to prevent Internet Explorer and Chrome from automatically detecting a content type other than those explicitly specified by the Content-Type header. Off / On