-1

Is there any way to use a Strict-Transport security header on a site but still have non-ssl sub-domains?

Richard
  • 4,304
  • 3
  • 23
  • 41
  • It would appear not: https://security.stackexchange.com/questions/161677/can-i-use-hsts-with-mixed-http-https-subdomains/161680#161680 – Richard Jun 10 '17 at 15:00

1 Answers1

0

You can just set Strict-Transport-Security header without includeSubDomains. For example if you set Strict-Transport-Security: max-age=31536000 on https://example.com, then browsers won't enforce HTTPS for nonsslsub.example.com.

X. Liu
  • 872
  • 10
  • 29