# HSTS 标头缺少 'includeSubDomains' 指令，允许在子域上窃取 Cookie

- **ID:** `security/http-strict-transport-security-missing-subdomain`
- **领域:** security
- **类别:** config_error
- **错误码:** `SEC_HSTS_004`
- **验证级别:** ai_generated
- **修复率:** 95%

## 根因

HTTP 严格传输安全 (HSTS) 标头未设置 'includeSubDomains' 指令，因此子域（例如 api.example.com）仍可通过 HTTP 访问，允许拦截 Cookie。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Apache HTTP Server 2.4 | active | — | — |
| Nginx 1.24 | active | — | — |
| IIS 10.0 | active | — | — |

## 解决方案

1. ```
   Add 'includeSubDomains' to the HSTS header. Example in Nginx:
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
   ```
2. ```
   Submit the domain to browser preload lists (e.g., hstspreload.org) after ensuring all subdomains support HTTPS. This enforces HSTS even on first visit.
   ```

## 无效尝试

- **Set a very long max-age (e.g., 1 year) without includeSubDomains** — A long max-age without includeSubDomains still leaves subdomains vulnerable; attackers can target subdomains with HTTP. (95% 失败率)
- **Use a separate HSTS header on each subdomain** — This is redundant and error-prone; a single header on the main domain with includeSubDomains covers all subdomains. (70% 失败率)