Fix HSTS IncludeSubDomains Directive
In this tutorial, you'll learn about Fix HSTS IncludeSubDomains Directive. We cover key concepts, practical examples, and best practices.
Without the includeSubDomains directive, HSTS only protects the exact domain. An attacker can still intercept traffic to admin.example.com, api.example.com, or mail.example.com and downgrade those connections to HTTP, even if the main domain is protected. The includeSubDomains flag extends HSTS protection to every subdomain.
Wrong
HSTS is configured without includeSubDomains, leaving all subdomains unprotected.
Strict-Transport-Security: max-age=31536000
add_header Strict-Transport-Security "max-age=31536000" always;
The main domain example.com is protected, but an attacker can still do an SSL stripping attack on:
https://admin.example.com→ downgraded tohttp://admin.example.comhttps://api.example.com→ downgraded tohttp://api.example.comhttps://mail.example.com→ downgraded tohttp://mail.example.com
The browser only enforces HTTPS for the exact domain that sent the header.
Right
Add includeSubDomains to extend HSTS coverage to all subdomains.
Strict-Transport-Security: max-age=31536000; includeSubDomains
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Express with helmet:
app.use(helmet.hsts({
maxAge: 31536000,
includeSubDomains: true,
}));
Now all subdomains are protected. The browser enforces HTTPS for example.com and every subdomain for the full max-age duration.
Prevention
- Add
includeSubDomainsto the HSTS header once you have verified that all subdomains support HTTPS. - Before enabling
includeSubDomains, audit every subdomain to ensure it serves content over HTTPS without errors. - A subdomain that does not support HTTPS will be unreachable to users who have visited the root domain.
- Use a wildcard TLS certificate (
*.example.com) when deployingincludeSubDomainsso all subdomains share the same certificate. - If you have subdomains that cannot support HTTPS (legacy systems, third-party hosted), do not use
includeSubDomains. - For maximum protection without breaking non-HTTPS subdomains, use
includeSubDomainsonly after all subdomains are HTTPS-ready.
DodaTech Tools
Doda Browser's security panel lists all subdomains covered by the current HSTS policy. DodaZIP's subdomain scanner checks every discovered subdomain for HTTPS support before recommending includeSubDomains. Durga Antivirus Pro deploys includeSubDomains across its entire cloud infrastructure, ensuring all microservice endpoints enforce HTTPS.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro