Enforce Web Policy with HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security policy technology designed to protect against downgrade attacks on HTTPS web servers. Despite being powerful, HSTS has not been widely adopted. CloudFlare aims to change this by making it easy for users to configure the technology on their domains. Downgrade attacks, also known as SSL stripping attacks, are a form of on-path attacker attack where an attacker redirects web browsers from a secure HTTPS server to an attacker-controlled server, compromising user data. HSTS headers consist of several parameters, including a configurable duration for client web browsers to cache and enforce policy. The technology causes compliant browsers to strictly enforce web security practices by automatically turning all HTTP links into HTTPS links within an application and upgrading SSL errors from warnings or bypassable errors into non-bypassable errors. CloudFlare's default SSL settings are compatible with HSTS, making it a suitable platform for enabling the technology on domains.