HSTS on Cloudflare Pages: Common Mistakes and Fixes
HSTS on Cloudflare Pages looks easy right up until it isn’t. You add a Strict-Transport-Security header, verify it in the browser, and move on. Then a week later you realize preview URLs behave differently, your apex domain redirects through a weird chain, or someone turned on preload without thinking about subdomains that still speak plain HTTP. I’ve seen this pattern a lot: HSTS gets treated like a checkbox. It’s not. On Cloudflare Pages, it’s simple to enable, but easy to misconfigure in ways that are annoying at best and production-breaking at worst. ...