Is there any way to use a Strict-Transport security header on a site but still have non-ssl sub-domains?
Asked
Active
Viewed 242 times
-1
-
It would appear not: https://security.stackexchange.com/questions/161677/can-i-use-hsts-with-mixed-http-https-subdomains/161680#161680 – Richard Jun 10 '17 at 15:00
1 Answers
0
You can just set Strict-Transport-Security
header without includeSubDomains
. For example if you set Strict-Transport-Security: max-age=31536000
on https://example.com
, then browsers won't enforce HTTPS for nonsslsub.example.com
.
X. Liu
- 872
- 10
- 29