Hello, I have a question regarding HSTS:
>> when I have a domain *example.com <http://example.com> *and I also have a subdomain like *sales.example.com <http://sales.example.com>.* I am only responsible for *sales.example.com <http://sales.example.com>*, due to different service providers. So my question is: I have a HSTS header on *sales.example.com <http://sales.example.com> *Strict-Transport-Security: *max-age=31536000; includeSubDomains; preload* Since the browser UA caches this *includeSubDomains* for a whole year could it be that e.g. http://crt.example.com/path/to/example.crt cannot be reached or does it only counts for *marketing.sales.example.com <http://marketing.sales.example.com> *because it is a subdomain on *sales.example.com <http://sales.example.com>*? Note there is no header on *example.com <http://example.com> *!!!!!! because we don't service/manage that domain, we only service/manage the domain *sales.example.com <http://sales.example.com>*. I could be wrong that there is no point in having a HSTS header on *sales.example.com <http://sales.example.com>* because you should do this on the domain *example.com <http://example.com>* but I am not sure about that. Could you please clarify this for me? Sincerely, Harold Stultiens
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
