HSTS preload doesn't work if using Cloudflare due to www requirement



Looking into setting up HSTS preload but getting this error on the preload submission site (https://hstspreload.appspot.com):

Error: HTTP redirects to www first
http://mysite.com (HTTP) should immediately redirect to https://mysite.com (HTTPS) before adding the www subdomain. Right now, the first redirect is to http://www.mysite.com/.

The reason I have it set to force www in my DH panel is that according to this help article on the DH wiki, the www is required to work with cloudflare:

So my question is, can I somehow force the https redirect to happen first, or can I just not use HSTS preload if also using cloudflare? Would seem pretty bogus if that’s the case. What are my options?


I didn’t use the Dreamhost panel to set up Cloudflare. Here’s my deal:

  1. Standard Dreamhost setup, and remove “www” from domains.
  2. Set up Let’s Encrypt for Secure Domains at Dreamhost.
  3. Set up Cloudflare their normal way. Set domain to SSL Full Strict. Page rule #1 to make everything HTTPS.
  4. Turn on HSTS at my domain registrar (Hoover). Can’t do it at Dreamhost registered domains.
  5. Turned on HSTS at Cloudflare and set it for 6 months. Left my subdomains off for HSTS because sometimes I host them under other services.


By this I assume you mean the option is actually unchecked in your DH panel, and then you manually set up CF directly in their interface?

Found this help article from CF (https://support.cloudflare.com/hc/en-us/articles/200169886-Can-I-use-a-naked-domain-no-www-with-CloudFlare-), which seems to be your case. i.e. set up your domains directly on CF, with no www.

Only thing that irks me about that is I’d have to get the CF pro plan and pay more…it’s only like $10 more but still.


Correct, I never checkboxed Cloudflare in my DH panel.

What does the Pro plan offer that you need? I use Pro Plan, but I didn’t think you needed it for HSTS.


I thought a paid plan was required for ssl support as explained here:

Guess not?


As it turns out, one of my domains is on the free plan. It has Full Strict SSL with HSTS turned on.


Right, so with your setup, have you successfully been added to the preload list for HSTS? https://hstspreload.appspot.com/


Yep! I hadn’t seen that link, but I’ve now submitted several of my sites to the preload list, including my Free Plan one.

p.s. Yes, that means I had to turn on HSTS for subdomains, which is a better choice anyway.


Excellent, thanks for all the insight. Think I got this all figured out.