Well,l I moved it there, but the initial issue is that someone claimed that not setting includeSubDomains was a security issue.
I’d love it if someone who knew and cared about whether having IncludeSubDomains in the the STS header was important could address the issue so perhaps I could tell this person that hundreds of thousands of other sites disagree and that perhaps the script that someone ran to find these “security flaws” is wrong.
So maybe I should rename this “missing includeSubDomains in STS header considered harmful”