Ssl – turn on HSTS for 1 subdomain

httphttpsssl

I would like to enforce HSTS for only 1 subdomain, but not the whole domain, is this possible ?

xxx.yyy.com -> HSTS on
zzz.yyy.com -> HSTS off
    yyy.com -> HSTS off

Best Answer

Yes.

Send the Strict-Transport-Security header only for xxx.yyy.com, and do not specify includeSubDomains.
Browsers that properly handle HSTS will only set the requirement for the specified subdomain (xxx.yyy.com) in this case.

Related Solutions

HTTP Basic Authentication – Can You Pass User/Pass in URL Parameters?

It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:password@example.com/ -- this sends the credentials in the standard HTTP "Authorization" header.

It's possible that whoever you were speaking to was thinking of a custom module or code that looked at the query parameters and verified the credentials. This isn't standard HTTP auth, though, it's an application-specific thing.

Apache SSL – Is It Bad to Redirect HTTP to HTTPS?

The [R] flag on its own is a 302 redirection (Moved Temporarily). If you really want people using the HTTPS version of your site (hint: you do), then you should be using [R=301] for a permanent redirect:

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

A 301 keeps all your google-fu and hard-earned pageranks intact. Make sure mod_rewrite is enabled:

a2enmod rewrite

To answer your exact question:

Is it bad to redirect http to https?

Hell no. It's very good.

Best Answer

Related Solutions

HTTP Basic Authentication – Can You Pass User/Pass in URL Parameters?

Apache SSL – Is It Bad to Redirect HTTP to HTTPS?

Related Topic