Skip to content

Fix HSTS IncludeSubDomains Directive

DodaTech Updated 2026-06-26 2 min read

In this tutorial, you'll learn about Fix HSTS IncludeSubDomains Directive. We cover key concepts, practical examples, and best practices.

Without the includeSubDomains directive, HSTS only protects the exact domain. An attacker can still intercept traffic to admin.example.com, api.example.com, or mail.example.com and downgrade those connections to HTTP, even if the main domain is protected. The includeSubDomains flag extends HSTS protection to every subdomain.

Wrong

HSTS is configured without includeSubDomains, leaving all subdomains unprotected.

Strict-Transport-Security: max-age=31536000
add_header Strict-Transport-Security "max-age=31536000" always;

The main domain example.com is protected, but an attacker can still do an SSL stripping attack on:

  • https://admin.example.com → downgraded to http://admin.example.com
  • https://api.example.com → downgraded to http://api.example.com
  • https://mail.example.com → downgraded to http://mail.example.com

The browser only enforces HTTPS for the exact domain that sent the header.

Add includeSubDomains to extend HSTS coverage to all subdomains.

Strict-Transport-Security: max-age=31536000; includeSubDomains
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Express with helmet:

app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true,
}));

Now all subdomains are protected. The browser enforces HTTPS for example.com and every subdomain for the full max-age duration.

Prevention

  • Add includeSubDomains to the HSTS header once you have verified that all subdomains support HTTPS.
  • Before enabling includeSubDomains, audit every subdomain to ensure it serves content over HTTPS without errors.
  • A subdomain that does not support HTTPS will be unreachable to users who have visited the root domain.
  • Use a wildcard TLS certificate (*.example.com) when deploying includeSubDomains so all subdomains share the same certificate.
  • If you have subdomains that cannot support HTTPS (legacy systems, third-party hosted), do not use includeSubDomains.
  • For maximum protection without breaking non-HTTPS subdomains, use includeSubDomains only after all subdomains are HTTPS-ready.

DodaTech Tools

Doda Browser's security panel lists all subdomains covered by the current HSTS policy. DodaZIP's subdomain scanner checks every discovered subdomain for HTTPS support before recommending includeSubDomains. Durga Antivirus Pro deploys includeSubDomains across its entire cloud infrastructure, ensuring all microservice endpoints enforce HTTPS.

FAQ

### What happens if a subdomain does not support HTTPS with includeSubDomains?

The subdomain becomes inaccessible to users who have visited the main domain. The browser refuses to send any request over HTTP to that subdomain, and if the subdomain only serves HTTP, users cannot reach it at all. This is why you must audit all subdomains before enabling includeSubDomains.

Can I use includeSubDomains if I have third-party subdomains?

No. If a third party hosts a subdomain of your domain (e.g., app.example.com hosted by a SaaS provider), and that subdomain does not support HTTPS, enabling includeSubDomains will break it. You must either ensure the third party supports HTTPS or use separate directives per subdomain.

Does includeSubDomains apply to all levels of subdomains?

Yes. includeSubDomains protects all nested subdomain levels. If you set HSTS on example.com with includeSubDomains, it covers admin.example.com, api.admin.example.com, and deeply.nested.subdomain.example.com. There is no depth limit.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro