A

Trust

MEDIUM

HSTS policy carries the includeSubDomains directive

The Strict-Transport-Security header on the homepage includes the `includeSubDomains` directive. Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.

What this check looks for

RFC 6797 §6.1.2 defines `includeSubDomains`, which extends the HSTS policy to every subdomain of the issuing host. Without it, a forgotten `staging.merchant.com` or `mail.merchant.com` served over HTTP can be used as a downgrade vector against authenticated shoppers (cookies scope wider than HSTS does). This check requires HSTS to be present (see `https-and-hsts-enforced`); if HSTS is missing it returns na rather than fail, so merchants fix the prerequisite first.

Which AI surfaces it affects

  • Google AI Mode (UCP)60
  • ChatGPT (ACP)60
  • Perplexity60
  • Microsoft Copilot60
  • Meta AI50

Weighted against the live specs — ACP 2026-04-17, UCP 2026-04-08.

How to fix it

Add `includeSubDomains` to your Strict-Transport-Security header

Shopify

One click
  1. Shopify's storefront HSTS header already includes `includeSubDomains`. No action needed on `*.myshopify.com` or Shopify-managed custom domains.
  2. If failing, you're likely auditing a CDN-fronted custom domain where HSTS is terminated upstream — update the upstream config.

Platform docs ↗

BigCommerce

Developer
  1. BigCommerce ships HSTS with `includeSubDomains` on its managed domains. If failing on a custom domain, update the SSL/header configuration at the CDN.

Platform docs ↗

WooCommerce

Developer
  1. Edit your server config (`.htaccess` for Apache or the nginx server block) and update the HSTS header to include `includeSubDomains`.
  2. Verify with `curl -I https://yourstore.com/` after deploying.

Platform docs ↗

Custom / headless

Developer
  1. Audit every subdomain you operate — confirm each serves over HTTPS only.
  2. Update the edge/load-balancer config so the Strict-Transport-Security header includes `includeSubDomains`.
  3. Roll out gradually; once the header is live, browsers will refuse plain-HTTP requests to ALL subdomains.
Strict-Transport-Security: max-age=31536000; includeSubDomains

Platform docs ↗

The spec it's pinned to

  • RFC 6797 — HSTS `includeSubDomains` directive

    RFC 6797 §6.1.2 defines the `includeSubDomains` directive. When present, the HSTS policy applies to every subdomain of the issuing host; without it, subdomains are unprotected and can be used as a downgrade vector.

MDN — Strict-Transport-Security

Does your store pass this check?

Run the full audit — 82 checks across five AI shopping surfaces. Most tools only check whether you get mentioned; we check whether an agent can buy from you.

Related trust checks

← All 82 checks