HSTS on a subdomain with includeSubdomains

Based on the RFC, HTTP Strict Transport Security (HSTS), the includeSubDomains states:

6.1.2. The includeSubDomains Directive

The OPTIONAL "includeSubDomains" directive is a valueless directive which, if present (i.e., it is "asserted"), signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.

Therefore your HSTS policy would only apply to foo.example.com and *.foo.example.com

example.com and bar.example.com would not be impacted.

For more info, there is a great thread on webmasters titled Do I need a wildcard SSL certificate for inclusion in the HSTS preload list?


It depends, section 11.4.2 describes the scenario of web apps interacting with the subdomains but not with the HSTS host (abc.domain.com but not domain.com) and in this case the UAs will not enforce the HSTS policy. The suggestion is:

HSTS Hosts should be configured such that the STS header field is emitted directly at each HSTS Host domain or subdomain name that constitutes a well-known "entry point"

But section 11.4.1 says that all subdomains must implement HTTPS, so as long as they do it should work just fine.

From the spec:

If ca.example.com were to issue an HSTS Policy with the
includeSubDomains directive, then HTTP-based user agents implementing HSTS that have interacted with the ca.example.com web application
would fail to retrieve CRLs and fail to check OCSP for certificates,
because these services are offered over plain HTTP.

In this case, Example CA can either:

  • not use the includeSubDomains directive, or

  • ensure that HTTP-based services offered at subdomains of ca.example.com are also uniformly offered over TLS/SSL, or

  • offer plain HTTP-based services at a different domain name, e.g., crl-and-ocsp.ca.example.NET, or

  • utilize an alternative approach to distributing certificate status information, obviating the need to offer CRL distribution and OCSP services over plain HTTP (e.g., the "Certificate Status Request" TLS extension [RFC6066], often colloquially referred to as "OCSP Stapling").


Would the HSTS policy have any effect on domains such as example.com or bar.example.com?

Yes. includeSubDomains affects all subdomains of the domain name. Crucially, the domain name of foo.example.com is example.com so all compliant user agents will apply the HSTS restriction to *.example.com.

6.1.2. The includeSubDomains Directive

The OPTIONAL "includeSubDomains" directive is a valueless directive which, if present (i.e., it is "asserted"), signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.

(emphasis mine)

The certificate isn't valid for abc.foo.example.com, but I imagine that if there is a valid cert for such a host that the HSTS policy would apply there.

That's correct. Certificate validity is orthogonal to whether a host name is subject to a Strict Transport Security restriction.

Tags:

Hsts

Sub Domain

Recent Posts