Help adding includeSubDomains to the Strict-Transport-Security header

pfaffman · September 8, 2025, 9:09pm

A client used a helpful security scanner and now believes that the Strict-Transport-Security header should include ‘includeSubdomains’.

I’ve added both of these to the app.yml:


  after_ssl:
    - replace:
        filename: /etc/nginx/conf.d/outlets/server/20-https.conf
        from: "max-age=31536000;"
        to:  "max-age=31536000; includeSubDomains;"
    - replace:
        filename: /etc/nginx/conf.d/outlets/discourse/20-https.conf
        from: "max-age=31536000;"
        to:  "max-age=31536000; includeSubDomains;"

- exec: sed -i "s/add_header Strict-Transport-Security 'max-age=31536000';/add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;/" /etc/nginx/conf.d/outlets/discourse/20-https.conf /etc/nginx/conf.d/outlets/server/20-https.conf

Neither seems to work. Running the sed command in the second on inside the container works and after restarting nginx, does what’s requested.

I don’t understand why it won’t work.

Also, this used to be in the template, but it seems like it was removed in 2014, but some recent posts include headers that show the includeSubdomains in there.

I’m stumped

tobiaseigen · September 17, 2025, 5:39pm

Hmm.. you don’t seem to be getting an answer here. Does this topic belong in Dev or Installation > Hosting?

pfaffman · September 22, 2025, 1:48pm

Well,l I moved it there, but the initial issue is that someone claimed that not setting includeSubDomains was a security issue.

I’d love it if someone who knew and cared about whether having IncludeSubDomains in the the STS header was important could address the issue so perhaps I could tell this person that hundreds of thousands of other sites disagree and that perhaps the script that someone ran to find these “security flaws” is wrong.

So maybe I should rename this “missing includeSubDomains in STS header considered harmful”

RGJ · September 22, 2025, 2:16pm

I would call it a configuration choice instead.

Is the forum on an apex domain or not?

I always tell people that we are very cautious of setting headers that affect other hostnames on their domain, and if they want to have HSTS on those, they should set the headers on those respective hosts instead.

The only valid reason I can think of is they cannot do that, e.g. when the forum is on an apex domain and the client is not able to control the HSTS headers on other externally hosted hosts, e.g. they have hostedshopify.example.com as well. Then they basically come to you because you’re the path of least resistance

pfaffman · September 22, 2025, 2:38pm

It is not.

That’s what I think I thought, though I wasn’t able to articulate it.

Thanks. I’ll tell them that since it’s not the Apex domain it’s Best Practice to have each host enforce its own rules.

Thanks so very much. This is a big help. At least now am pretty sure thatI understand.

Topic		Replies	Views
Set Strict-Transport-Security header Installation	3	552	October 10, 2022
HSTS header not set with www and non www setup Support nginx	2	725	October 6, 2022
Let’s Encrypt problem after upgrading to 1.9.0.beta3 Bug	14	1660	July 14, 2017
Percieved Security on Insta DMs Support	5	73	July 13, 2025
How can I fix the Permissions Policy header? Support	4	966	October 20, 2023

Help adding includeSubDomains to the Strict-Transport-Security header

Related topics