I'm using HSTS with this header on my website:
Strict-Transport-Security: max-age=15768000; includeSubDomains
This works as intended and forces the browser to redirect all http connections to https.
In the documentation at https://www.rfc-editor.org/rfc/rfc6797#section-6.1.2 I did not find a way to exclude specified subdomains!
I already tried to add max-age=0
for the subdomain, but it does not overwrite includeSubDomains
Is it possible to exclude subdomains from the includeSubDomains
rule?
Or is the only way to remove this rule and just use the HSTS header for some websites?
PS: My webserver is NGINX and I tested the behaviour with firefox and chrome.
Best Answer
No:
I think one of the points of
includeSubdomains
is to ensure that it's not possible for an attacker to hijack cookies etc. by forcing end user to load a subdomain over plain http and then them. If there was even one exception toincludeSubdomains
then it would be useless (assuming it's possible for the attacker to figure out what the exception is).