Unlike say CAA, HSTS is not read from all the parent domain(s).
So if you have it set on example.com with includeSubDomains
then it will not be read if you just visit www.example.com. However, if you happen to visit example.com first then it will be set. So basically you could get inconsistent results.
This is presumably because there would be performance (and privacy!) impact to check all the parent domain(s) to see if they also send a HSTS header with includesubdomains
.
So it should be set on the domain used as well as any parent domain(s).
Now even that is often not enough to give full protection. For example if you sent it on www.example.com and on example.com but example.com is not usually visited then most web site visitors will only have the www variant cached as a HSTS domain. So it may well be possible to visit example.com over HTTP for at least one request. For this reason it is recommended to load one asset (e.g. an image) from your base domain over HTTPS when visiting your www domain - so that both HSTS policies are loaded. It is also recommend to redirect as example.com -> https://example.com -> https://www.example.com rather than example.com direct to https://www.example.com to pick up any example.com HSTS policy despite the performance impact of that extra redirect.
And it is possible to have different policies at each level. For example if you have some sub domains which are not on HTTPS (e.g. intranet.example.com) then you can have a HSTS policy at top level with no includeSubDomains
and a different HSTS policy at www.example.com with includeSubDomains
.
The alternative to all this is to preload the domain. This hardcodes the whole domain (and usually all sub domains) in the browser code so even first visits are protected. This also doesn’t have the performance impact of checking up all the parent domains so does take effect with only one entry with includeSubDomains
. But preloading is a serious commitment and should not be entered into lightly as its basically irreversible. Also you cannot preload unless all your subdomains are HTTPS - we’ll at least without asking for special preloading. Another reason to load an image from top level domain so the base policy is picked up before any irreversible preloading takes effect!
All in all, it’s complicated! :-) But worth the effort to understand it and get it right.