The HTTP Strict Transport Security header (or HSTS) is a security response header. It lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.


In other words, HSTS header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.


Note: HSTS header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it.  When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the HSTS header.


You can read further summary on this here.

Is HSTS header supported through Shield?

No, we don't support HSTS through Shield. 


Using this header incorrectly can cause serious problems without proper considerations. Instead, for this, we recommend using CloudFlare's HSTS (please see here) implementation as it's quite well done in the UI.