-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0203
Nemo edited this page Oct 29, 2019
·
1 revision
"Strict-Transport-Security, but no includeSubDomains"
The includeSubDomains directive ensures that users visiting example.com are not vulnerable to downgrade attacks on any subdomains such as cdn.example.com. Since all your subdomains should be using HTTPS anyway, setting this ensures that you prevent an extra redirect on any subsequent requests for those as well.
Include the includeSubDomains directive in the Strict-Transport-Security header.