what to do next after enabling HSTS?
Heya! I’ve enabled HSTS (1 year, with all toggles enabled). Than I’ve tried to add my website to a preload list on hstsprelod org, but I do get “error: No HSTS header”.
Where do I add this header? I have a static website built with Astro.
✨🫶
20 Replies
If you enabled it, it should do the header for you. Is your site proxied in Cloudflare?
Good question, I do not know. Let me check. (I’ve just registered the domain through CF, does it mean I am using CF?)
It means you are using Cloudflare least for DNS. If you go to DNS -> Records, if the record is Proxied it's going through Cf's CDN and the HSTS header should be applied according to that setting.
Alternatively, what's your website url? Easy to see externally if proxied or not
Sure, I’ll drop it in dm, if you do not mind
Yep, the website is proxied in CF.
Also, the HSTS setting is still kinda inactive, it supposed to? (I am positive that I went through all the settings, it even states that I’ve changed the setting)
Yea I can see it's proxied, and no strict-transport-security header
Try again? Does it give you an error when you try to save it?
this is what it should look like
Lemme check real quick
It seems like nothing happens if I go through acknowledge>configure and click save. It just returns me on the previous screen (also the loading circle spins for a second in the background near the “enable hsts” button. But nothing happens.
I bought domain like 2 hours ago if that’s important
are you just going through and clicking acknowledge -> configure and then save, and not touching any of the sliders/options?
I do agree with acknowledge information, than set 12 months period and enable all of the toggles
that's really strange..I can't reproduce that. Are any of the sliders/settings preset when you open the menu? (ex. is Enable HSTS at the top enabled when you first open it?)
All toggles on a configure page were not, when I first opened “enable HSTS”. But all the attempts I’ve tried after you’ve suggest to do it again all the toggles were enabled and the period was set to 12 months
If that’s what you’ve asked
I would try disabling enable hsts/saving and then re-enabling. If that doesn't work, could just force the header with a transform rule, not hard to do, silly though
I see the header now
It worked, but not the way we thought it could. At first I’ve tried to toggle settings off and on. That didn’t help. Than I’ve clicked “cancel” on a setting page and the new button appeared! “Enable HSTS”!
Check the screenshots
ooh you didn't see that button on top at all before
you're doing this on phone or something?
Thank you @Chaika ✨🫶
I am a happy owner of whatever benefits this setting does now☺️
Yep!
That did not appear at all
The “proof screenshot” got cut, but there is no enable HSTS toggle on it
sorry should have been more precise about the buttons lol
Nah, I’ve checked dozens of articles, glad I’ve asked here. Thank you so much for instant response☺️
The main idea is to prevent downgrade attacks, just with the http header alone, once the browser sees it, it will refuse to fallback to http (plaintext/insecure) and cache that setting, HTTPS forever. If you put your site into hstspreload your site will become hard-coded inside of Chrome and Firefox and browsers will always connect straight over https and refuse to downgrade.
Some entire TLDs like dev have it enabled (no .dev site can be http, at least via browsers)
Good to know! Hope this thread will be indexed and will help others