← All guides
Cloudflare

Enable HSTS on Cloudflare in One Toggle

·4 min read

HSTS (HTTP Strict Transport Security) tells browsers to only ever connect to your site over HTTPS — so even a user who types http:// or clicks an old link is upgraded before any data leaves their machine. It's one of the most common checks default deployments fail, and on Cloudflare it's a toggle, not code.

Turn it on

  1. In the Cloudflare dashboard, pick your domain.
  2. Go to SSL/TLS → Edge Certificates.
  3. Find HTTP Strict Transport Security (HSTS) and click Enable HSTS.
  4. Set Max-Age to 6 months or 12 months, and turn on Apply HSTS to subdomains (if all subdomains use HTTPS).

Should you enable preload?

The Preload option submits your domain to a list browsers ship with, so HTTPS is enforced even on a user's very first visit. It's powerful but hard to reverse — only enable it once you're confident HTTPS is permanent across your whole domain.

Verify it worked

Reload your site, open DevTools → Network → the document request → Headers, and look for strict-transport-security in the response. Or run a LaunchPal scan — the security headers check will now pass for HSTS.

FAQ

Will HSTS slow my site down?

No. It's a single response header. If anything it's slightly faster, because browsers skip the HTTP-to-HTTPS redirect on later visits.

I use Cloudflare in front of Vercel — where do I set HSTS?

Either works, but setting it at Cloudflare (the edge users hit first) is simplest. Just don't set conflicting max-age values in both places.

LaunchPal provides launch readiness checks, not a professional penetration test.