40

Suppose that my site is located at foo.example.com and I send the following HTTP header when visitors accessing my site using HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Would the HSTS policy have any effect on domains such as example.com or bar.example.com?

I'm not in charge of the certificates but the common name is *.example.com on the certificate so I'm not sure if that matters.

The certificate isn't valid for abc.foo.example.com, but I imagine that if there is a valid cert for such a host that the HSTS policy would apply there.

rink.attendant.6
  • 2,247
  • 4
  • 23
  • 35

4 Answers4

49

Based on the RFC, HTTP Strict Transport Security (HSTS), the includeSubDomains states:

6.1.2. The includeSubDomains Directive

The OPTIONAL "includeSubDomains" directive is a valueless directive which, if present (i.e., it is "asserted"), signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.

Therefore your HSTS policy would only apply to foo.example.com and *.foo.example.com

example.com and bar.example.com would not be impacted.

For more info, there is a great thread on webmasters titled Do I need a wildcard SSL certificate for inclusion in the HSTS preload list?

user2320464
  • 1,832
  • 1
  • 16
  • 18
2

It depends, section 11.4.2 describes the scenario of web apps interacting with the subdomains but not with the HSTS host (abc.domain.com but not domain.com) and in this case the UAs will not enforce the HSTS policy. The suggestion is:

HSTS Hosts should be configured such that the STS header field is emitted directly at each HSTS Host domain or subdomain name that constitutes a well-known "entry point"

But section 11.4.1 says that all subdomains must implement HTTPS, so as long as they do it should work just fine.

From the spec:

If ca.example.com were to issue an HSTS Policy with the
includeSubDomains directive, then HTTP-based user agents implementing HSTS that have interacted with the ca.example.com web application
would fail to retrieve CRLs and fail to check OCSP for certificates,
because these services are offered over plain HTTP.

In this case, Example CA can either:

  • not use the includeSubDomains directive, or

  • ensure that HTTP-based services offered at subdomains of ca.example.com are also uniformly offered over TLS/SSL, or

  • offer plain HTTP-based services at a different domain name, e.g., crl-and-ocsp.ca.example.NET, or

  • utilize an alternative approach to distributing certificate status information, obviating the need to offer CRL distribution and OCSP services over plain HTTP (e.g., the "Certificate Status Request" TLS extension [RFC6066], often colloquially referred to as "OCSP Stapling").

Purefan
  • 3,570
  • 19
  • 26
1

Would the HSTS policy have any effect on domains such as example.com or bar.example.com?

Yes. includeSubDomains affects all subdomains of the domain name. Crucially, the domain name of foo.example.com is example.com so all compliant user agents will apply the HSTS restriction to *.example.com.

6.1.2. The includeSubDomains Directive

The OPTIONAL "includeSubDomains" directive is a valueless directive which, if present (i.e., it is "asserted"), signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.

(emphasis mine)

The certificate isn't valid for abc.foo.example.com, but I imagine that if there is a valid cert for such a host that the HSTS policy would apply there.

That's correct. Certificate validity is orthogonal to whether a host name is subject to a Strict Transport Security restriction.

Luckyrat
  • 129
  • 2
  • 1
    Wouldn't this be an easy way to DoS any subdomain that is not served over HTTPS? If I controlled the code for `foo.example.com` which uses HTTPS then I can send an HSTS header to prevent access to an HTTP site, ex: `bar.example.com`? – rink.attendant.6 Jul 24 '18 at 16:08
  • 3
    @Luckyrat, your reading of 6.1.2 makes sense to me, but it is in direct contradiction with the accepted answer on this question. How does your reading apply within the context of a FQDN such as `sub.foo.co.uk`? – daveloyall Jul 10 '19 at 17:48
  • 1
    The first part of your answer is incorrect; you're conflating a host's _domain name_ with its [_registrable domain_](https://developer.mozilla.org/en-US/docs/Glossary/Site). Item 6 of [section 2.4.1.1 of the HSTS spec](https://tools.ietf.org/html/rfc6797#section-2.4.1.1) provides relevant examples that should be enough to dispel your confusion. – jub0bs Mar 01 '21 at 10:53
  • I think you're right. My established understanding is that a domain is identical to a registrable domain but a hostname can contain labels that are not part of the registrable domain. Perhaps the meaning of these terms has shifted since those days before the PSL existed. For example, the PSL refers to hostname in the specification but domain in the formal algorithm (which ultimately derives the registrable domain from the starting string). In any case, if the HSTS spec is using a different (more modern?) interpretation of these terms, that's interesting in itself so I'll not delete this answer – Luckyrat Dec 03 '21 at 09:50
  • @Luckyrat if this answer will not be deleted, perhaps an edit highlighting the discussion in the comments would be helpful for the inattentive reader? – sourcream Jun 03 '22 at 14:25
1

I have test the includesubdomain directive, the result is that it only affects the host domain and the subdomain of the host domain.

For example, if you access the website with https://echo.local.io, and the query the hsts/pkp with chrome://net-internals/#hsts:

Query HSTS/PKP domain with echo.local.io (the host domain)

Found:
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: echo.local.io
dynamic_upgrade_mode: FORCE_HTTPS
dynamic_sts_include_subdomains: true
dynamic_sts_observed: 1634294710.318108
dynamic_sts_expiry: 1650019510.318091

Query HSTS/PKP domain with another subdoamin foo.local.io (same level as host domain

Not found

Query HSTS/PKP domain with root domain local.io (the parent of the host domain)

Not found

Query HSTS/PKP domain with subdomain buzz.echo.local.io (subdomain of the host main)

Found:
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: echo.local.io
dynamic_upgrade_mode: FORCE_HTTPS
dynamic_sts_include_subdomains: true
dynamic_sts_observed: 1634298549.210941
dynamic_sts_expiry: 1650023349.210936

see also: https://blog.codefarm.me/2021/10/15/http-strict-transport-security/#test-subdomain-with-echo-local-io

ROY
  • 111
  • 4