Setting Up HSTS in Cloudflare for PCI DSS Scans

One of the more common vulnerabilities found during an ASV scan is the lack of HSTS (HTTP Strict Transport Security). This is not necessarily limited to your application server; HSTS should be set up on all internet-facing hosts that provide a path to, or are part of, the cardholder data environment (CDE).

This includes the Web Application Firewall (WAF), and one of the most common WAF platforms is Cloudflare (Cloudflare™ is a registered trademark of Cloudflare, Inc.). A common issue found during ASV scans is that HSTS was not set for the Cloudflare WAF.

If HSTS or related TLS configuration issues are affecting your PCI DSS external scan, nabu provides PCI DSS ASV scanning for internet-facing systems connected to payment environments.

Luckily, it is easy to fix it. Follow these steps:

• Log into your Cloudflare account and open the relevant domain.

• Click on the domain where you want to enable HSTS.

• In the sidebar or top menu, click “SSL/TLS” / “Edge Certificates”:

  
  

  

• Scroll Down to ‘HTTP Strict Transport Security (HSTS)’

• Click “Enable HSTS” (you might see a warning first—acknowledge it if needed).

• You’ll see several options:

• Max Age Header (seconds): This is how long browsers should remember to use HTTPS; Recommended setting: 1 year / 12 months.

• Include subdomains: Applies HSTS to all subdomains too. Recommended setting: Yes.

• Preload (optional): Adds your site to browser preload lists. If you check it, you’ll need to submit your domain manually to the preload list here: https://hstspreload.org.

• Note that once preloaded, it’s difficult to remove your domain from the list.

• No-Sniff Header: Adds extra security by preventing MIME-type sniffing.

• Apply HSTS to HTTP: Forces HTTP requests to redirect to HTTPS. Recommended setting: Yes.

• Click “Save”

Need help resolving HSTS, TLS or Cloudflare configuration issues before your next ASV scan?

Contact nabu to review the findings and remediation steps.