HSTS implementation when using www.TLD

by Randomer11   Last Updated May 15, 2018 17:04 PM

Been looking at implementing HSTS in to one of our sites, hoping to validate it on the preload list. But I can't get my head around how it works with the www. Subdomain.

Our site forces secure www.domain.com using this code in the htaccess.

  <ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

<IfModule mod_rewrite.c> 
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

This seems to only send headers when calling the www version.

But when validating, obviously you can't validate a subdomain and it needs to be root TLD. So you get this notice:

www.domain.com is a subdomain. Please preload domain.com instead. (Due to the size of the preload list and the behaviour of cookies across subdomains, we only accept automated preload list submissions of whole registered domains.)

If I remove the "env=https" and add "always" to the htaccess such as :

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

I then get it being used across both www and non www but it still doesnt validate as i get this warning:

Warning: Unnecessary HSTS header over HTTP, The HTTP page at domain.com sends an HSTS header. This has no effect over HTTP, and should be removed.

So im stuck as to what I've done wrong, or what i need to do next to make it validate.

Any help appreciated.

Please note. This is a standard Apache server, using htaccess ( because its a shared environment. Using Cpanel.

Tags : apache https hsts

Related Questions

Removal from HSTS preload list?

Updated July 24, 2015 15:01 PM

HSTS and redirecting to www. sub domain

Updated February 04, 2019 21:04 PM