2

I would like Cloudflare to send the HSTS header on the main domain, and on the www subdomain, but not the other subdomains.

However I can only enable HSTS for the primary domain (and add includesubdomains, which I can't use because I don't want HSTS enabled on all of them).

So I thought: maybe a page rule is the solution! But I can neither see a HSTS page rule, nor can I see a page rule category to add HTTP response header.

How do I do this? Am I missing something / am I blind? Or is this not possible with Cloudflare, and I have to do it on the host?

user643011
  • 129
  • 1
  • 10

1 Answers1

0

I read about Cloudflare Workers which were added recently. I contacted support yesterday, and it confirmed my suspicion that this is the way to go:

Thanks for contacting Cloudflare support. My name is Damian and I will be looking into this ticket for you.

Cloudflare only supports enabling HSTS for the entire zone through our dashboard, if you would like to enable it for specific subdomains/hostnames you would need to either create the HSTS Header on your origin server or alternatively you can use edge workers to add the header to the response - https://developers.cloudflare.com/workers/about/how-workers-work/

Damian | Cloudflare Support Engineer Join the Cloudflare Community

So use Workers - but check billing first - if it fits your needs, because it's not free: https://support.cloudflare.com/hc/en-us/articles/360001657552

user643011
  • 129
  • 1
  • 10