Lately, I have been looking into improving security for web applications. Using SSL or TLS is usually to first step to create a more secure web site. A recommendation is also to use HTTP Strict Transport Security (HSTS) to tell browsers to always use a secure connection. All examples I found use includeSubDomains, which also enforces HSTS on sub domains.
# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
Unfortunately, this has some unexpected side effects.
1) HSTS is always enforced. Even if the sub domain is on a different server and has no public DNS entry. I activated HSTS on walterebert.de and my local system stopped working. I use dev.walterebert.de on 127.0.0.1, but http://dev.walterebert.de/ could not be called anymore. Firefox and Chrome always requested https://dev.walterebert.de/.
2) Certificates don't mix. I configured my local system to serve over HTTPS. Because it is not public, I created and used a self-signed certificate. And now a new problem arose. The self-signed certificate was entirely blocked, because it was different from the certificate for walterebert.de.
So, now I am not using includeSubDomains any more. Its use should not be your default.
# Apache
Header always set Strict-Transport-Security "max-age=31536000"
# Nginx
add_header Strict-Transport-Security "max-age=31536000";