Do not includeSubdomains in HSTS

This prevents one from redirecting to some http-only subdomain. For example, surfer in naked domain redirects to www subdomain (which is on github pages...)
2017-02-02 00:05:56 -08:00
parent 87755c6097
commit cd31e12bec
1 changed files with 1 additions and 1 deletions
--- a/setup/start/nginx/appconfig.ejs
+++ b/setup/start/nginx/appconfig.ejs
@@ -26,7 +26,7 @@ server {
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=15768000";

    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
    add_header X-Frame-Options "<%= xFrameOptions %>";