HSTS Not Applied to Subdomains

Low Severity Technical Guide

Vulnerability Description

Enabling HSTS without the includeSubDomains directive leaves subdomains unprotected and vulnerable to protocol downgrade attacks.

Remediation Guide

To resolve this vulnerability, follow these config changes or developer practices:

Append includeSubDomains to your Strict-Transport-Security header configuration to cover all subdomains: Strict-Transport-Security: max-age=31536000; includeSubDomains

Verify Your Fix

After applying the remediation, run an external attack-surface scan to verify that the vulnerability is no longer detected by WebScanify.

Is your website vulnerable?

Run a free security scan now to identify missing headers, outdated JS, and other deployment vulnerabilities.