The question is almost in the title itself. If I had an app and use includeSubdomains for the HSTS header but have no subdomains at all, is this considered good or bad?
Asked
Active
Viewed 988 times
2 Answers
1
It is good.
If you plan on submitting your site to Google's HSTS Preload list, you will need to have the
includeSubdomainsdirective even if you have no subdomains.If you ever plan on having a subdomain, it'll mean that you will need to set it up to support HTTPS from Day 1. I'm considering this as a good thing as it is a plus for security.
Anand Bhat
- 5,591
- 26
- 30
1
It's good.
Let's say you have https://example.com and that's all you use. HSTS ensures you can only use HTTPS on this domain. This prevents downgrade attacks.
Without includeSubDomain, an attacker could set up and use a fake subdomain like http://www.example.com or http://secure.example.com or http://anyotherlegitimatssounsingsubdomain.example.com and swerve them over http and get people somehow to go there instead of https://example.com. Of course this requires access to manipulate the DNS of the victim but that's possible through certain techniques.
As it's a subdomain of your main domain it will look legitimate (though won't have https) and can also potentially leak or override cookies for the main domain.
Just because YOU don't use a subdomain doesn't mean your users know that.
For an app this is perhaps less critical as the URL will be set on the app and more difficult to change, and they typically don't use cookies, but it's still considered best practice to use includeSubDomain.
Barry Pollard
- 40,655
- 7
- 76
- 92