9

I would like to enforce HSTS for only 1 subdomain, but not the whole domain, is this possible ?

xxx.yyy.com -> HSTS on
zzz.yyy.com -> HSTS off
    yyy.com -> HSTS off
Ladadadada
  • 26,337
  • 7
  • 59
  • 90
grosser
  • 277
  • 4
  • 8
  • 1
    Recommended reading: [The Wikipedia page](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and [the RFC itself](http://tools.ietf.org/html/rfc6797). There's implementation code for various web servers in the Wikipedia page and the answer to your question [in the RFC](http://tools.ietf.org/html/rfc6797#section-6.1.2). – Ladadadada Feb 25 '13 at 18:53
  • 1
    @Ladadadada, except that the RFC is, imo, not clear enough about domains. In this question, is the domain always yyy.com, or would issuing a sts header from xxx.yyy.com only apply to *.xxx.yyy.com (and thus treating xxx.yyy.com as the "domain")? – bvgheluwe Sep 25 '19 at 09:57

1 Answers1

17

Yes.

Send the Strict-Transport-Security header only for xxx.yyy.com, and do not specify includeSubDomains.
Browsers that properly handle HSTS will only set the requirement for the specified subdomain (xxx.yyy.com) in this case.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • 2
    I'm just curious, what would happen if the `Strict-Transport-Security` on `xxx.yyy.com` _did_ include the `includeSubDomains`? Wouldn't that only affect `*.xxx.yyy.com`? – Aaron Gibralter Jun 12 '15 at 03:58
  • 2
    @AaronGibralter That's my understanding (and my interpretation of the original question was "*only* for `xxx.yyy.com`" which is why I said not to set `includeSubDomains`) - If you want the subdomains of `xxx.yyy.com` to also enforce HSTS then you should set `includeSubDomains` in the header. – voretaq7 Jun 18 '15 at 19:48
  • 2
    If `includeSubDomains` is present for `xxx.yyy.com` will it also affect `*.yyy.com`? (i.e. will it break `zzz.yyy.com` if it does not entertain HTTPS)? – mg007 Feb 06 '16 at 07:31
  • I can confirm this. My bank has www.bank.com and homebanking.bank.com. Those are separate entries in the browser's hsts list and are created independently from each other. Chrome's hsts list can be searched through chrome://net-internals/#hsts -> "Query HSTS/PKP domain" (mind that it's an exact search: "bank" didn't yield a result). – bvgheluwe Sep 25 '19 at 11:47