sslhttpsstrict-transport-security

Is there anyway I can use Strict-Transport security


Is there any way to use a Strict-Transport security header on a site but still have non-ssl sub-domains?


Solution

  • You can just set Strict-Transport-Security header without includeSubDomains. For example if you set Strict-Transport-Security: max-age=31536000 on https://example.com, then browsers won't enforce HTTPS for nonsslsub.example.com.