4

I'm using HSTS with this header on my website:

 Strict-Transport-Security: max-age=15768000; includeSubDomains

This works as intended and forces the browser to redirect all http connections to https.

In the documentation at https://www.rfc-editor.org/rfc/rfc6797#section-6.1.2 I did not find a way to exclude specified subdomains!

I already tried to add max-age=0 for the subdomain, but it does not overwrite includeSubDomains

Is it possible to exclude subdomains from the includeSubDomains rule? Or is the only way to remove this rule and just use the HSTS header for some websites? PS: My webserver is NGINX and I tested the behaviour with firefox and chrome.

Community
  • 1
zuim
  • 180
  • 1
  • 7
  • 4
    No way. Either it works for all subdomains or you have to set it for every subdomain explicitly. Or move your exception to completely unrelated domain – Alexey Ten Apr 20 '16 at 19:26
  • Ok thanks. Then I will just send the header without includeSubdomains. – zuim Apr 20 '16 at 19:36

1 Answers1

3

No:

I think one of the points of includeSubdomains is to ensure that it's not possible for an attacker to hijack cookies etc. by forcing end user to load a subdomain over plain http and then them. If there was even one exception to includeSubdomains then it would be useless (assuming it's possible for the attacker to figure out what the exception is).

EoghanM
  • 560
  • 2
  • 7
  • 15