HSTS includeSubDomains setting 301 Redirect potential issue

Using a 301 redirector to take people to a secure website is a reasonable thing to do and quite useful.  Recently however the increase use of HSTS to dynamically "force" HTTPS to be utilised for a domain could cause an issue with a domain and DNS based redirector.

HSTS (HTTP Strict Transport Security)

If your redirected 301 site suddenly starts failing and automatically requesting an SSL encrypted version of the site, then you could have a primary domain set with HSTS and  the "includeSubdomain" option set.

Recently this ocurred when a site which was utilising subdomain redirects updated the nginx server configuration to include the HSTS header:

For nginx:

The header must be set per website, the configuration file is usually found in /etc/nginx/sites-available/.

server {
listen 443 ssl default deferred;
# config to enable HSTS(HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";

For Apache:

<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

The use of "includeSubdomains" meant that whilst foo.com was forced into SSL (which is good) subdomain.foo.com was also forced into SSL.  This is bad as (currently) this is not a feature which is implemented by REDIR301. 

This can be configured, however it is currently a manual process on a per domain basis which is costly.

HSTS configurations are advised to include the subdomain setting in most instances, so as servers are upgraded, it is potentially going to become more of an issue.

The problem does not appear to be widespread, as most people don't configure their domains in this way, however it is worth noting and being aware of.

To check your website for this setting, visit: https://geekflare.com/tools/hsts-test 

To clear dynamic browser settings in Chrome, visit chrome://net-internals/#hsts 

Thanks to the following websites for ideas and solutions: