Is there any way to use a Strict-Transport security header on a site but still have non-ssl sub-domains?
You can just set Strict-Transport-Security
header without includeSubDomains
. For example if you set Strict-Transport-Security: max-age=31536000
on https://example.com
, then browsers won't enforce HTTPS for nonsslsub.example.com
.