I would like to enforce HSTS for only 1 subdomain, but not the whole domain, is this possible ?
xxx.yyy.com -> HSTS on
zzz.yyy.com -> HSTS off
yyy.com -> HSTS off
httphttpsssl
I would like to enforce HSTS for only 1 subdomain, but not the whole domain, is this possible ?
xxx.yyy.com -> HSTS on
zzz.yyy.com -> HSTS off
yyy.com -> HSTS off
Best Answer
Yes.
Send the
Strict-Transport-Security
header only forxxx.yyy.com
, and do not specifyincludeSubDomains
.Browsers that properly handle HSTS will only set the requirement for the specified subdomain (
xxx.yyy.com
) in this case.