How To Configure Max Age And Includesubdomains For Hsts | Web Security Headers & HTTPS Hardening

HSTS max-age and includeSubDomains Configuration Syntax

The Strict-Transport-Security header enforces HTTPS at the browser level. Configure it using the exact directive: Strict-Transport-Security: max-age=31536000; includeSubDomains

max-age=31536000: Defines cache duration in seconds (31,536,000 equals one year).
includeSubDomains: Extends the policy to all subdomains under the primary host.

This configuration prevents protocol downgrade attacks and session cookie hijacking. Foundational header architecture is documented in the Web Security Headers Fundamentals reference.

Security Implication: Deploying includeSubDomains immediately applies the policy to every subdomain. Any subdomain lacking valid TLS will trigger hard browser blocks.

Server-Side Configuration Commands

Inject the header at the origin server or edge proxy level. Avoid duplicate declarations across CDN, WAF, and application layers to prevent parsing conflicts. Comprehensive deployment patterns are detailed in the HTTP Strict Transport Security (HSTS) Deep Dive guide.

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Cloudflare Navigate to Dashboard > SSL/TLS > Edge Certificates > HSTS. Enable the feature, set Max-Age to 1 year, and toggle Include Subdomains to ON.

Node.js/Express (Helmet)

app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));

Diagnostic & Verification Steps

Validate header delivery before committing to production. Use CLI diagnostics and browser inspection to confirm exact string matching and cache behavior.

cURL

curl -sI https://yourdomain.com | grep -i strict-transport-security

Expected Output: strict-transport-security: max-age=31536000; includeSubDomains

OpenSSL

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -status 2>/dev/null | grep -i strict-transport-security

Browser DevTools Open Network tab → Filter by Doc/XHR → Select primary request → Inspect Response Headers → Verify exact value and confirm absence of duplicate headers.

Security Implication: Browsers cache HSTS policies immediately upon receipt. A single successful response locks the policy for the specified duration.

Edge Cases, Preload Implications & Safe Rollback

Subdomain misconfiguration triggers NET::ERR_CERT_COMMON_NAME_INVALID or HSTS_POLICY_VIOLATION errors. To safely revert, deploy Strict-Transport-Security: max-age=0; includeSubDomains across all affected subdomains. Browsers require the zero-value header to be served until the original max-age expires to clear the cache. Never submit to the HSTS preload list until includeSubDomains is validated across staging, legacy, and development subdomains. Removal from preload lists requires 6–12 months for browser distribution cycles.

Security Implication: Reducing max-age does not instantly clear browser caches. A zero-value header must be actively served for the original duration to prevent persistent lockouts.