HSTS: includeSubDomains is not included in the header

Question

HSTS: includeSubDomains is not included in the header

JensTimmerman opened this issue 6 years ago · 4 comments

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"

This should also have: includeSubDomains

Answer 1 · 2018-10-17T12:57:53.000Z

Adding includeSubDomains by default would harm the unwary unnecessarily. We must not include that in any default recommendation or example. Some domains have hosts underneath them that must not upgrade requests yet. While sub-optimal in the long-term, it’s essential to take that into account here.

…

On Wed, Oct 17, 2018 at 04:55 Jens Timmerman ***@***.***> wrote: # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" This should also have: includeSubDomains — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#224>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFqDJkCoz7R5Ygplt9pWqzxuYgnjHLKks5ulxq1gaJpZM4XjvlP> .

Answer 2 · 2018-10-17T14:28:13.000Z

Can the comment above this header make note of the includeSubDomains option? Let people know it exists and warn them about it's implications?

Answer 3 · 2018-10-17T17:14:23.000Z

That's reasonable. Can you submit a patch?

Answer 4 · 2019-05-24T22:37:16.000Z

While I think it's reasonable, I'm not sure I want to add it. It'll take just one person clicking the button to start receiving endless screaming. 😰