HSTS without includeSubDomains protects only the apex domain — api.yourdomain.com, cdn.yourdomain.com, and auth.yourdomain.com remain vulnerable to SSL stripping attacks even when the main domain enforces HTTPS. An attacker on the same network can intercept unencrypted traffic to any unprotected subdomain and inject content or credentials. CWE-311 and CWE-319 both apply — data transmitted to subdomains over HTTP is exposed in cleartext. OWASP A02 (Cryptographic Failures) identifies incomplete HSTS configuration as a transport security gap that leaves backend APIs and CDN endpoints unprotected.
High because omitting `includeSubDomains` leaves all subdomains — including API, auth, and CDN endpoints that handle credentials and session tokens — vulnerable to SSL stripping despite main-domain HSTS being configured.
Add includeSubDomains to your HSTS header configuration. Before doing so, verify that every subdomain your application uses has a valid TLS certificate — a subdomain without HTTPS becomes unreachable once HSTS covers it.
// next.config.js
headers: [{
source: '/(.*)',
headers: [{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains'
}]
}]
Audit your DNS for all active subdomains before adding includeSubDomains: dig +short yourdomain.com and check your DNS provider's zone file. Any subdomain serving HTTP-only content will break.
ID: security-headers-ii.transport-hardening.hsts-include-subdomains
Severity: high
What to look for: Before evaluating, extract and quote the complete HSTS header value from framework config, middleware, or deployment config. Without includeSubDomains, subdomains are still vulnerable to SSL stripping even if the main domain has HSTS — an attacker can intercept traffic to api.example.com or cdn.example.com.
Pass criteria: includeSubDomains is present in the HSTS header — at least 2 directives expected (max-age + includeSubDomains). Count all HSTS directives, extract and quote the complete HSTS header value even on pass: "HSTS: max-age=31536000; includeSubDomains."
Fail criteria: HSTS header is present but does not include includeSubDomains.
Report even on pass: Always quote the actual full HSTS header value.
Skip (N/A) when: No HSTS header configured at all (defer to Security Headers & Basics for basic HSTS presence).
Detail on fail: "HSTS header 'max-age=31536000' does not include includeSubDomains — subdomains vulnerable to SSL stripping" or "HSTS configured but subdomains not covered: 'Strict-Transport-Security: max-age=63072000'"
Remediation: Without includeSubDomains, attackers can still intercept traffic to your subdomains even though the main domain uses HTTPS:
headers: [{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains'
}]
Ensure ALL subdomains support HTTPS before adding includeSubDomains — any subdomain without HTTPS will become unreachable.