Security Headers - Adding `includeSubDomains` and `preload` to Strict-Transport Security header to sites with default domain name

Hey all,
In our continuing efforts to improve security for all Netlify sites, we are making a change to the Strict-Transport Security (HSTS) header. In addition to the existing value max-age=31536000, we will have added the values includeSubDomains and preload to all sites that are not using a custom domain name.

Since all sites are automatically routed to use HTTPS, this should not cause any issues.

  • includeSubDomains forces HTTPS security attributes on all sub-domains of a site, such as Content Security Policy (CSP).
  • preload ensures that the HTTPS security attributes are loaded into the browser or client before visiting a site

Ask us for help!

Please feel free to reach out with questions and we will do our best to answer. :slight_smile: