Fix HSTS on Cloudflare

Cloudflare has a built-in HSTS toggle that is easier and more reliable than a Transform Rule. Use it instead of manually setting the Strict-Transport-Security header.

Step 1 — Enable HSTS in Cloudflare

Dashboard → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) → Enable HSTS:

Status: Enabled
max-age: 12 months (31536000 seconds)
Apply to subdomains: Enable (only if ALL subdomains support HTTPS)
Preload: Enable (only after verifying requirements below)
No-Sniff: Enable (adds X-Content-Type-Options: nosniff)

Step 2 — Ramp up safely

Do not enable everything at once. Follow this order:

Enable HSTS with max-age=300 (5 minutes) and verify HTTPS works on all pages
Increase to max-age=86400 (1 day) — monitor for issues
Enable includeSubDomains — only after testing ALL subdomains over HTTPS
Increase to max-age=31536000 (1 year)
Enable preload — submit at hstspreload.org

Alternative — Transform Rule (more control)

If you need the HSTS header only on specific paths or want to set it alongside other headers:

Rules → Transform Rules → Modify Response Header → Create Rule

When: All incoming requests (or custom filter)

Then — Set static: Strict-Transport-Security → max-age=31536000; includeSubDomains; preload

Verify your HSTS header

curl -sI https://yoursite.com | grep -i strict
# Should show: strict-transport-security: max-age=31536000; includeSubDomains

Preload requirements checklist

Valid HTTPS certificate
HTTP redirects to HTTPS (301)
max-age ≥ 31536000
includeSubDomains present
preload directive present
All subdomains support HTTPS

Check your HSTS preload status → HSTS Preload Checker →