Problems with HTTP Strict Transport Security Sub Domains

Lately, I have been looking into improving security for web applications. Using SSL or TLS is usually to first step to create a more secure web site. A recommendation is also to use HTTP Strict Transport Security (HSTS) to tell browsers to always use a secure connection. All examples I found use includeSubDomains, which also enforces HSTS on sub domains.

# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Unfortunately, this has some unexpected side effects.

1) HSTS is always enforced. Even if the sub domain is on a different server and has no public DNS entry. I activated HSTS on and my local system stopped working. I use on, but could not be called anymore. Firefox and Chrome always requested

2) Certificates don't mix. I configured my local system to serve over HTTPS. Because it is not public, I created and used a self-signed certificate. And now a new problem arose. The self-signed certificate was entirely blocked, because it was different from the certificate for

So, now I am not using includeSubDomains any more. Its use should not be your default.

# Apache
Header always set Strict-Transport-Security "max-age=31536000"

# Nginx
add_header Strict-Transport-Security "max-age=31536000";