add includeSubdomains to Strict-Transport-Security

gstrauss · gstrauss · commit f14aba3de393 · 2026-04-07T04:10:04.000-04:00
diff --git a/src/js/helpers/apache.js b/src/js/helpers/apache.js
@@ -57,7 +57,7 @@ export default (form, output) => {
     conf +=
       '\n'+
       '    # HTTP Strict Transport Security (mod_headers is required) ('+output.hstsMaxAge+' seconds)\n'+
-      '    Header'+(minver("2.0.0", form.serverVersion) ? ' always' : '')+' set Strict-Transport-Security "max-age='+output.hstsMaxAge+'"\n';
+      '    Header'+(minver("2.0.0", form.serverVersion) ? ' always' : '')+' set Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';
  }
 
     conf +=
diff --git a/src/js/helpers/caddy.js b/src/js/helpers/caddy.js
@@ -61,7 +61,7 @@ export default (form, output) => {
     conf +=
       '\n'+
       '  # HSTS ('+output.hstsMaxAge+' seconds)\n'+
-      '  header Strict-Transport-Security "max-age='+output.hstsMaxAge+'"\n';
+      '  header Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';
  }
 
     conf +=
diff --git a/src/js/helpers/go.js b/src/js/helpers/go.js
@@ -19,7 +19,7 @@ export default (form, output) => {
       '    mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {\n'+
       (form.hsts
         ?
-      '        w.Header().Add("Strict-Transport-Security", "max-age='+output.hstsMaxAge+'")\n'
+      '        w.Header().Add("Strict-Transport-Security", "max-age='+output.hstsMaxAge+'; includeSubDomains")\n'
         : '')+
       '        w.Write([]byte("This server is running the Mozilla '+form.config+' configuration.\\n"))\n'+
       '    })\n';
diff --git a/src/js/helpers/haproxy.js b/src/js/helpers/haproxy.js
@@ -72,7 +72,7 @@ export default (form, output) => {
       '    redirect scheme https code '+output.hstsRedirectCode+' if !{ ssl_fc }\n'+
       '\n'+
       '    # HSTS ('+output.hstsMaxAge+' seconds)\n'+
-      '    http-response set-header Strict-Transport-Security max-age='+output.hstsMaxAge+'\n';
+      '    http-response set-header Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';
  }
 
   return conf;
diff --git a/src/js/helpers/lighttpd.js b/src/js/helpers/lighttpd.js
@@ -187,7 +187,7 @@ export default (form, output) => {
       '$HTTP["scheme"] == "https" {\n'+
       '    # HTTP Strict Transport Security ('+output.hstsMaxAge+' seconds)\n'+
       '    setenv.add-response-header = (\n'+
-      '      "Strict-Transport-Security" => "max-age='+output.hstsMaxAge+'"\n'+
+      '      "Strict-Transport-Security" => "max-age='+output.hstsMaxAge+'; includeSubDomains"\n'+
       '    )\n'+
       '}\n'+
       'else $HTTP["scheme"] == "http" {\n';
diff --git a/src/js/helpers/litespeed.js b/src/js/helpers/litespeed.js
@@ -52,7 +52,7 @@ export default (form, output) => {
       '    <uri>/</uri>\n'+
       '    <location>$DOC_ROOT/</location>\n'+
       '    <allowBrowse>1</allowBrowse>\n'+
-      '    <extraHeaders>Header Set Strict-Transport-Security: max-age='+output.hstsMaxAge+'</extraHeaders>\n'+
+      '    <extraHeaders>Header Set Strict-Transport-Security: max-age='+output.hstsMaxAge+'; includeSubDomains</extraHeaders>\n'+
       '    <addDefaultCharset>off</addDefaultCharset>\n'+
       '  </context>\n'+
       '</virtualHostConfig>\n';
diff --git a/src/js/helpers/nginx.js b/src/js/helpers/nginx.js
@@ -30,7 +30,7 @@ export default (form, output) => {
     conf +=
       '\n'+
       '        # HSTS (ngx_http_headers_module is required) ('+output.hstsMaxAge+' seconds)\n'+
-      '        add_header Strict-Transport-Security "max-age='+output.hstsMaxAge+'"'+(minver("1.7.5", form.serverVersion) ? ' always' : '')+';\n';
+      '        add_header Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"'+(minver("1.7.5", form.serverVersion) ? ' always' : '')+';\n';
  }
 
     conf +=
diff --git a/src/js/helpers/openlitespeed.js b/src/js/helpers/openlitespeed.js
@@ -49,7 +49,7 @@ export default (form, output) => {
       'context / {\n'+
       '  location                $DOC_ROOT/\n'+
       '  allowBrowse             1\n'+
-      '  extraHeaders            Header Set Strict-Transport-Security: max-age='+output.hstsMaxAge+'\n'+
+      '  extraHeaders            Header Set Strict-Transport-Security: max-age='+output.hstsMaxAge+'; includeSubDomains\n'+
       '}\n';
   }
 
diff --git a/src/js/helpers/oraclehttp.js b/src/js/helpers/oraclehttp.js
@@ -24,7 +24,7 @@ export default (form, output) => {
     conf +=
       '\n'+
       '    # HTTP Strict Transport Security (mod_headers is required) ('+output.hstsMaxAge+' seconds)\n'+
-      '    Header always set Strict-Transport-Security "max-age='+output.hstsMaxAge+'"\n';
+      '    Header always set Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';
  }
 
     conf +=

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ export default (form, output) => {`
`57`	`57`	`conf +=`
`58`	`58`	`'\n'+`
`59`	`59`	`' # HTTP Strict Transport Security (mod_headers is required) ('+output.hstsMaxAge+' seconds)\n'+`
`60`		`- ' Header'+(minver("2.0.0", form.serverVersion) ? ' always' : '')+' set Strict-Transport-Security "max-age='+output.hstsMaxAge+'"\n';`
	`60`	`+ ' Header'+(minver("2.0.0", form.serverVersion) ? ' always' : '')+' set Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`conf +=`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ export default (form, output) => {`
`61`	`61`	`conf +=`
`62`	`62`	`'\n'+`
`63`	`63`	`' # HSTS ('+output.hstsMaxAge+' seconds)\n'+`
`64`		`- ' header Strict-Transport-Security "max-age='+output.hstsMaxAge+'"\n';`
	`64`	`+ ' header Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`conf +=`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ export default (form, output) => {`
`19`	`19`	`' mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {\n'+`
`20`	`20`	`(form.hsts`
`21`	`21`	`?`
`22`		`- ' w.Header().Add("Strict-Transport-Security", "max-age='+output.hstsMaxAge+'")\n'`
	`22`	`+ ' w.Header().Add("Strict-Transport-Security", "max-age='+output.hstsMaxAge+'; includeSubDomains")\n'`
`23`	`23`	`: '')+`
`24`	`24`	`' w.Write([]byte("This server is running the Mozilla '+form.config+' configuration.\\n"))\n'+`
`25`	`25`	`' })\n';`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ export default (form, output) => {`
`72`	`72`	`' redirect scheme https code '+output.hstsRedirectCode+' if !{ ssl_fc }\n'+`
`73`	`73`	`'\n'+`
`74`	`74`	`' # HSTS ('+output.hstsMaxAge+' seconds)\n'+`
`75`		`- ' http-response set-header Strict-Transport-Security max-age='+output.hstsMaxAge+'\n';`
	`75`	`+ ' http-response set-header Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`return conf;`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ export default (form, output) => {`
`30`	`30`	`conf +=`
`31`	`31`	`'\n'+`
`32`	`32`	`' # HSTS (ngx_http_headers_module is required) ('+output.hstsMaxAge+' seconds)\n'+`
`33`		`- ' add_header Strict-Transport-Security "max-age='+output.hstsMaxAge+'"'+(minver("1.7.5", form.serverVersion) ? ' always' : '')+';\n';`
	`33`	`+ ' add_header Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"'+(minver("1.7.5", form.serverVersion) ? ' always' : '')+';\n';`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`conf +=`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ export default (form, output) => {`
`49`	`49`	`'context / {\n'+`
`50`	`50`	`' location $DOC_ROOT/\n'+`
`51`	`51`	`' allowBrowse 1\n'+`
`52`		`- ' extraHeaders Header Set Strict-Transport-Security: max-age='+output.hstsMaxAge+'\n'+`
	`52`	`+ ' extraHeaders Header Set Strict-Transport-Security: max-age='+output.hstsMaxAge+'; includeSubDomains\n'+`
`53`	`53`	`'}\n';`
`54`	`54`	`}`
`55`	`55`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ export default (form, output) => {`
`24`	`24`	`conf +=`
`25`	`25`	`'\n'+`
`26`	`26`	`' # HTTP Strict Transport Security (mod_headers is required) ('+output.hstsMaxAge+' seconds)\n'+`
`27`		`- ' Header always set Strict-Transport-Security "max-age='+output.hstsMaxAge+'"\n';`
	`27`	`+ ' Header always set Strict-Transport-Security "max-age='+output.hstsMaxAge+'; includeSubDomains"\n';`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`conf +=`