Issue: Subdomains without HTTP Strict Transport Security (HSTS) may serve unsecured content, potentially exposing your users to risks and harming trust and security.
Fix: Configure your server to support HSTS for your subdomains to ensure all content is served securely over HTTPS.
How to Fix for Beginners
- Check Server Support: Confirm that your hosting provider or server configuration supports HSTS.
- Enable HSTS for Subdomains: Add the HSTS header to your server configuration and include the
includeSubDomainsdirective.- Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains
- Example:
- Test Implementation: Use tools like SSL Labs to verify that HSTS is properly enabled across your subdomains.
- Update DNS Records (Optional): If your domain supports HSTS preload, ensure it is added to the preload list for maximum protection.
- Monitor for Issues: Check regularly to ensure all subdomains are being served securely with HSTS enabled.
Tip: Implementing HSTS improves security by ensuring all content is served over HTTPS, building user trust and protecting sensitive data.