Announcing our new API documentation!
Check it out here
Knowledge Base
/
HSTS and reverse proxy support for redirects

HSTS and reverse proxy support for redirects

Enable Strict-Transport-Security and reverse-proxy compatibility in a redirect's Advanced Settings.

On this page:

Overview

Every SiteDetour redirect has an Advanced Settings slide-over with three toggles: Upgrade HTTP Requests (covered separately), Enable HSTS Support, and Enable Reverse Proxy Support. This article covers the latter two.

HSTS Support

HTTP Strict Transport Security is an HTTP response header that tells browsers to auto-upgrade every future request to your domain to HTTPS, without first trying HTTP. Once a browser has seen the header, it will refuse to speak HTTP to that hostname until the policy expires.

When Enable HSTS Support is on, SiteDetour adds the following header to redirect responses:

Strict-Transport-Security: max-age=31536000; includeSubDomains

When to enable:

  • You want all future visitor traffic on this domain to bypass HTTP entirely.
  • You've already confirmed HTTPS is working end-to-end (SSL issued, redirects resolving over 443).

When not to enable:

  • You still have HTTP-only consumers or subdomains that can't serve HTTPS. includeSubDomains applies the policy to every subdomain; an HTTP-only subdomain will become unreachable.
  • You're unsure whether your SSL will stay valid — HSTS is a one-way commitment with a one-year decay time. Browsers won't forgive a broken certificate once HSTS is active.

Consider pairing HSTS with Upgrade HTTP Requests so the first-ever visit (before HSTS is cached) still gets upgraded.

Reverse Proxy Support

If your DNS goes through Cloudflare, AWS CloudFront, Fastly, or any other reverse proxy before reaching SiteDetour, the TCP connection's source IP is the proxy — not the visitor. This breaks:

  • Geo analytics — every hit appears to come from the proxy's region.
  • Audience geo rulesVisitor's Country and Geographic Area on Map evaluate against the wrong IP.
  • Rate-limiting / abuse defense — internal systems see a small set of repeated IPs.

When Enable Reverse Proxy Support is on, SiteDetour trusts the X-Forwarded-For and CF-Connecting-IP headers and uses the first entry as the client IP for geo lookups, analytics, and audience evaluation.

Security note: only enable this if traffic to your domain genuinely comes through a trusted proxy. If SiteDetour receives direct traffic on that same hostname (e.g. attackers bypassing the proxy), a forged X-Forwarded-For could spoof the client IP. If you use Cloudflare, restrict origin access to Cloudflare's published IP ranges where possible.

Cloudflare-specific tips

  • Keep the DNS record set to Proxied (orange cloud) — that's the whole point. Enable Reverse Proxy Support makes this work correctly.
  • Use SSL mode Full (Strict) in Cloudflare once SiteDetour has issued its certificate. Flexible SSL is discouraged.
  • Disable Cloudflare's Always Use HTTPS if you already have Upgrade HTTP Requests on — otherwise you get two upgrade passes.

Next steps

SiteDetour Logo
Join our newsletter to stay updated on features and releases.
By subscribing, you agree to our Privacy Policy and consent to receive updates from our company.
Thank you! Please check your inbox for a confirmation email.
Oops! Something went wrong while submitting the form.
Product
Support
Documentation
Find us
© All rights reserved. Sitedetour.com
Terms of ServicePrivacy Policy