Parameter:
HTTPHSTSIncludeSubDomainsShort description: Enables the
includeSubDomains attribute in the HSTS response header – enforces HTTPS for all subdomains of the serving site as well.Profile
Parameter | HTTPHSTSIncludeSubDomains |
Category | HTTP / Web |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Web Site / Internet Site document |
Possible values | 0 = without subdomains (default), 1 = set includeSubDomains |
Description
When HSTS is enabled via the Server / Internet Site document, Domino sends the
Strict-Transport-Security header. With HTTPHSTSIncludeSubDomains=1, the includeSubDomains attribute is sent in addition – this makes browsers assume that all subdomains of the site must also be reachable exclusively over HTTPS. A very effective measure against “strip” attacks on forgotten HTTP vhosts under the same domain.Example configuration
HTTPHSTSIncludeSubDomains=1
Notes & pitfalls
- Only enable when all subdomains in use are actually reachable over HTTPS – otherwise internal tools or legacy systems become unreachable in the browser.
- Requires HSTS to be enabled at all (Web Site / Internet Site document or via
HTTPEnableHSTS).
- Browsers cache HSTS settings for a long time (keyword
max-age) – rolling back an incorrect configuration is non-trivial.
- Takes effect after an HTTP restart (
tell http restart).