In my Plesk web admin edition I just activated HSTS on my main domain www.domain.tld
with
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
The test on ssllabs.com says that everything works fine. The problem is my subdomain (subdomain.domain.tld
). If I test my subdomain on ssllabs it says that there is no HSTS activated.
Should I include the header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
on my subdomain too or is an implementation on my main domain sufficient?
I thought by adding includeSubDomains
there was no need for adding it explicitly on subdomains.
Best Answer
The
includeSubDomains
part only instructs the browser, once its seen it, that requests to other sub-domains should abide by the same HSTS rules (i.e; a valid certificate must be present). It doesn't "infer" the application of this rule to your sub-domains, if for instance a user has never accessed your www.domain.tld site before. In this case, their browser will never have seen the presence of this header on your www sub-domain, and thus will not apply HSTS rules.If a user has seen this header on your www sub-domain, then tries to access a sub-domain with an invalid certificate, it will block it and prevent the user from continuing.
In short, you need to ensure that you serve the same HSTS header across all your sub-domains in order for this to be 100% effective.