Enable HSTS in Cloudflare for Stronger SSL Security

HSTS in Cloudflare

Whether you’re using shared or VPS hosting services to create a website, it’s important to have a SSL certificate for added security. But it is not enough to install a domain validated SSL. You need to ensure your web server only serves website requests with an encrypted connection. This is accomplished with a 301 redirect in your .htaccess file.

For additional security you can use HTTP Strict Transport Security (HSTS) which forces browsers to request HTTPS pages from your domain. This is typically configured within your .htaccess file. However, those using the Cloudflare content delivery network (CDN) for improved website speed can enable this with a few clicks. Below we’ll cover how to enable HSTS using Cloudflare.

Enable HSTS in Cloudflare

Cloudflare HSTS configuration options
  1. Log into Cloudflare.
  2. On the top, select Crypto.
  3. Select Enable HSTS.
  4. Read the acknowledgement to ensure you fully understand the implications of enabling HSTS. The most important thing to understand is that you must have an active SSL certificate installed for the domain at all times. Otherwise, your website will become inaccessible from your web browser until the HTTP header expires. Select Next.
  5. Select the toggle button for Enable HSTS (Strict-Transport-Security).
  6. Set the Max Age Header (max-age) which determines how long the security HTTP header should be active.
  7. Toggle Apply HSTS policy to subdomains (includeSubDomains) if desired. Do not select this if you have subdomains that aren’t publicly facing and don’t have an SSL.
  8. Select Preload if you’d like to submit your website to HSTSpreload.org for preload listing if eligible.
  9. You can enable No-Sniff Header. However, you should configure Content Security Policy (CSP) in your .htaccess file which controls what the browser can load within your website in superior ways.
  10. After you configure your preferences, press Save at the bottom.

Learn more within Cloudflare documentation. Learn how to maximize your Linux systems with our Cloud Server Product Guide.

If you don’t need cPanel, don't pay for it. Only pay for what you need with our Cloud VPS solutions

check markCentOS, Debian, or Ubuntu    check markNo bloatware    check markSSH Key management made easy

J
Jacqueem Content Writer I

Technical writer focused on cybersecurity and musicianship.

More Articles by Jacqueem

Was this article helpful? Let us know!