A few days ago, one of your clients asked us for some help regarding her site which she and her team was trying to enable HSTS Preload Status and eligibility for Chrome.
Even though they had already spent a couple of hours trying to meet all of Chrome’s criteria for HSTS preload eligibility, they still failed in some of them. They were using Runcloud to manage their hosting instance, and a Server Side Redirection was created with them, but they still couldn’t pass Chrome’s Preload Eligibility Status.
They also used Cloudflare as their DNS and Proxy service and set the SSL/Encryption mode to Full(strict).
This wasn’t enough to apply for Chrome’s HSTS preloading list since the status report showed the warning found below:
Error: HTTP redirects to www first
http://site.com(HTTP) should immediately redirect to
https://(HTTPS) before adding the www subdomain. Right now, the first redirect is to
https://www.. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
Error: No HSTS headerhttps://hstspreload.org/
Response error: No HSTS header is present on the response.
Looking at both warnings, we decide to check our client Cloudflare setup for misconfigurations, and we’re right.
Below we list all the misconfiguration errors we have found. Hopefully, we can help you overcome any errors you face while applying your site for Chrome’s HSTS Preload URL list.
The Cloudflare DNS Service was Disabled
The first thing we had to check was the DNS records added in Cloudflare; it seems that both the A & CNAME DNS Records weren’t using Cloudflare’s DNS service, so we enabled it on both.
Enabled Cloudflare’s Always Use HTTPS
After visiting our client’s Edge Certificate setting page, we noticed the “Always Use HTTPS” option was disabled. While this won’t affect the HSTS eligibility, we have enabled it for better consistency with the browser and user experience.
Enabled Cloudflare’s HTTP Strict Transport Security (HSTS) option
Enabling this setting is not enough to pass the Preload Eligibility test; you must set the options accordingly, especially the Max Age for the HSTS Header, which should be cached for 12 months.
HTTP to HTTPS Redirect was missing when using the non-www version of the URL
We created a Page rule within Cloudflare Dashboard where all requests matching the HTTP and non-www version of the site’s URL were redirected to the HTTPs equivalent. We set this redirect as a permanent one and then deployed the change.
Install and connect Cloudflare’s WordPress Plugin
This last change is also related to the previous one because the site uses the www version of the URL as canonical. This means that the HTTP on no-www requests should first be redirected to the HTTPS s on non-www, and then a new redirect will be placed by WordPress to the HTTPS on the www version of the site.
This was the main reason Chrome tool didn’t report the WordPress site URL as eligible for their HSTS preloading list. Cloudflare recommends using their WordPress plugin to optimize the performance of any WordPress site using their service. This also includes SSL settings optimization.
After fine-tuning our client’s WordPress site and Cloudflare account for HSTS preload eligibility, we ran one more test with Chrome’s service and got the green light for eligibility!
Feel free to send any comments or questions in the Comment Section.