Enable HSTS on Cloudflare in One Toggle
HSTS (HTTP Strict Transport Security) tells browsers to only ever connect to your site over HTTPS — so even a user who types http:// or clicks an old link is upgraded before any data leaves their machine. It's one of the most common checks default deployments fail, and on Cloudflare it's a toggle, not code.
Turn it on
- In the Cloudflare dashboard, pick your domain.
- Go to SSL/TLS → Edge Certificates.
- Find HTTP Strict Transport Security (HSTS) and click Enable HSTS.
- Set Max-Age to 6 months or 12 months, and turn on Apply HSTS to subdomains (if all subdomains use HTTPS).
Should you enable preload?
The Preload option submits your domain to a list browsers ship with, so HTTPS is enforced even on a user's very first visit. It's powerful but hard to reverse — only enable it once you're confident HTTPS is permanent across your whole domain.
Verify it worked
Reload your site, open DevTools → Network → the document request → Headers, and look for strict-transport-security in the response. Or run a LaunchPal scan — the security headers check will now pass for HSTS.
FAQ
Will HSTS slow my site down?
No. It's a single response header. If anything it's slightly faster, because browsers skip the HTTP-to-HTTPS redirect on later visits.
I use Cloudflare in front of Vercel — where do I set HSTS?
Either works, but setting it at Cloudflare (the edge users hit first) is simplest. Just don't set conflicting max-age values in both places.
LaunchPal provides launch readiness checks, not a professional penetration test.