{
  "id": "security/http-strict-transport-security-missing-subdomain",
  "signature": "HSTS header missing 'includeSubDomains' directive allows cookie theft on subdomains",
  "signature_zh": "HSTS 标头缺少 'includeSubDomains' 指令，允许在子域上窃取 Cookie",
  "regex": "Strict-Transport-Security: max-age=\\d+;?[^i]|HSTS without includeSubDomains",
  "domain": "security",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "The HTTP Strict-Transport-Security (HSTS) header is set without the 'includeSubDomains' directive, so subdomains (e.g., api.example.com) can still be accessed over HTTP, allowing cookie interception.",
  "root_cause_type": "generic",
  "root_cause_zh": "HTTP 严格传输安全 (HSTS) 标头未设置 'includeSubDomains' 指令，因此子域（例如 api.example.com）仍可通过 HTTP 访问，允许拦截 Cookie。",
  "versions": [
    {
      "version": "Apache HTTP Server 2.4",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Nginx 1.24",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "IIS 10.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Set a very long max-age (e.g., 1 year) without includeSubDomains",
      "why_fails": "A long max-age without includeSubDomains still leaves subdomains vulnerable; attackers can target subdomains with HTTP.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "Use a separate HSTS header on each subdomain",
      "why_fails": "This is redundant and error-prone; a single header on the main domain with includeSubDomains covers all subdomains.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Add 'includeSubDomains' to the HSTS header. Example in Nginx:\nadd_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;",
      "success_rate": 0.95,
      "how": "Add 'includeSubDomains' to the HSTS header. Example in Nginx:\nadd_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;",
      "condition": "",
      "sources": []
    },
    {
      "action": "Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.",
      "success_rate": 0.9,
      "how": "Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Add 'includeSubDomains' to the HSTS header. Example in Nginx:\nadd_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;",
    "Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security",
  "official_doc_section": null,
  "error_code": "SEC_HSTS_004",
  "verification_tier": "ai_generated",
  "confidence": 0.9,
  "fix_success_rate": 0.95,
  "resolvable": "true",
  "first_seen": "2023-09-05",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}