SEOLZ

How to fix hsts max age too short on Cloudflare (CDN/proxy used with any platform)

Increase your HSTS max-age to at least 31536000 (one year) so browsers enforce HTTPS-only connections for a meaningful period.

Steps for Cloudflare (CDN/proxy used with any platform)

  1. Log in to Cloudflare → select your domain.
  2. Go to SSL/TLS → Edge Certificates.
  3. Scroll to 'HTTP Strict Transport Security (HSTS)' and click 'Enable HSTS'.
  4. In the dialog, set Max Age Header to '12 months (31536000)', toggle 'Include Subdomains' on (if all subdomains use HTTPS), then click Save.
  5. Note: Do NOT enable 'Preload' until you have verified your entire domain and all subdomains are permanently on HTTPS — preload list inclusion is very difficult to reverse.
  6. Verify with securityheaders.com.
Strict-Transport-Security: max-age=31536000; includeSubDomains

What is hsts max age too short?

HTTP Strict-Transport-Security (HSTS) is a security header your web server sends to browsers, telling them: "Always connect to this site over HTTPS — never plain HTTP." The `max-age` value controls how long (in seconds) a browser remembers and enforces that instruction. A value of 300 means only 5 minutes — barely longer than a single browsing session. Security standards require a minimum of 31536000 seconds (one full year) so that the protection persists long after a visitor closes your site.

A short max-age leaves your customers exposed to "SSL-stripping" and man-in-the-middle attacks during the vast majority of return visits, because the browser forgets the HTTPS-only rule within minutes and will happily try an insecure HTTP connection again. This directly endangers login credentials, payment data, and personal information — the kind of cryptographic failure OWASP ranks as one of the top two web security risks (A02:2021). Beyond security, Google uses HTTPS as a ranking signal and Chrome actively warns users about insecure sites; a site that intermittently falls back to HTTP risks both rankings and customer trust. Most PCI-DSS and GDPR compliance frameworks also expect HSTS to be configured correctly for sites handling payment or personal data.

See the complete Hsts max age too short guide for every platform and the full background.

Not sure if your Cloudflare (CDN/proxy used with any platform) store has this?

Run a free SEOLZ audit — we’ll find hsts max age too short and every other issue across your whole site.

Scan my site free

Fix hsts max age too short on another platform