# HSTS header missing 'includeSubDomains' directive allows cookie theft on subdomains

- **ID:** `security/http-strict-transport-security-missing-subdomain`
- **Domain:** security
- **Category:** config_error
- **Error Code:** `SEC_HSTS_004`
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

The HTTP Strict-Transport-Security (HSTS) header is set without the 'includeSubDomains' directive, so subdomains (e.g., api.example.com) can still be accessed over HTTP, allowing cookie interception.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Apache HTTP Server 2.4 | active | — | — |
| Nginx 1.24 | active | — | — |
| IIS 10.0 | active | — | — |

## Workarounds

1. **Add 'includeSubDomains' to the HSTS header. Example in Nginx:
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;** (95% success)
   ```
   Add 'includeSubDomains' to the HSTS header. Example in Nginx:
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
   ```
2. **Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.** (90% success)
   ```
   Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.
   ```

## Dead Ends

- **Set a very long max-age (e.g., 1 year) without includeSubDomains** — A long max-age without includeSubDomains still leaves subdomains vulnerable; attackers can target subdomains with HTTP. (95% fail)
- **Use a separate HSTS header on each subdomain** — This is redundant and error-prone; a single header on the main domain with includeSubDomains covers all subdomains. (70% fail)