The warnings Cloudflare presents me with about enabling HSTS are both lengthy and full of dire warnings describing a few situations in which my users will not be able to visit my site for up to 6 months (i.e. forever). example here
It seems to me the only way to trigger these things is to disable HTTPS/SSL - Which, it's 2020, why would I/anyone want to do that?
In a world where SSL ought to be enabled everywhere, are these warnings overblown? Assuming I'm not turning off SSL - can I just enable it and be happy?
I’m of the opinion that HSTS is good, and should be used, but I hate these online tutorials that say just turn it on without warning about the consequences of getting it wrong. I’ve a blog post discussing “Dangerous Web Security Features” like this and HPKP and even CSP.
Yes you are right that we are increasingly moving to an HTTPS world, and this should be low risk if you’ve already switched.
However it is possible to miss scenarios and cause issues.
For example if you don’t have SSL enabled everywhere are are only considering your main website. For example you enable it on your TLD (example.com), or preload it, as well as the www version (www.example.com) but you also reuse that domain elsewhere without SSL (e.g. intranet.example.com or dev.example.com or oldapp.example.com), then those will stop working.
Google used to maintain a list of those preloading HSTS who regretted it because they didn’t think it all through or because so web developer thought they were doing good securing the website but broke other things.
So I don’t think it’s overblown to give warnings.
For a brand new site I would use HSTS from the get fo unless very good reason not to.