Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

=JeffH <> Wed, 22 August 2012 00:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A0B8F21F8568 for <>; Tue, 21 Aug 2012 17:14:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.697
X-Spam-Status: No, score=-100.697 tagged_above=-999 required=5 tests=[AWL=-0.202, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yGeeR3mAXUQE for <>; Tue, 21 Aug 2012 17:14:40 -0700 (PDT)
Received: from ( [IPv6:2605:dc00:100:2::a2]) by (Postfix) with SMTP id 061C921F8555 for <>; Tue, 21 Aug 2012 17:14:39 -0700 (PDT)
Received: (qmail 11875 invoked by uid 0); 22 Aug 2012 00:14:39 -0000
Received: from unknown (HELO ( by with SMTP; 22 Aug 2012 00:14:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=YWPIidrnRwNnkVu5KNLai6turaEGGeqol+SqbNesDLY=; b=Kb/oxPEyOM3UouAVABDUH/iOOeQs4OZS8iye9rDr8BA/pMvKFKhnFcqCImPS8EJSnGNSYxndmMQCoespRzxqGQJJnJV0JjKpvRWN1uTrd7RKCwg3NVcMCeYBNOET2+mv;
Received: from [] (port=40893 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1T3yal-0002wc-BI; Tue, 21 Aug 2012 18:14:39 -0600
Message-ID: <>
Date: Tue, 21 Aug 2012 17:14:37 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Tobias Gondrom <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: IETF WebSec WG <>
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Aug 2012 00:14:42 -0000

Tobias asked:
 > the case in question is: does HSTS with max-age=0 and includeSubDomains
 > mean you remove the HSTS flag (entry) for the subDomains as well ?

If you mean to ask whether a UA receiving this header from

   Strict-Transport-Security: max-age=0; includeSubDomains

..affects any _entries_ the UA may have in its HSTS list for subdomains of, the answer is "no".

Also, receipt of the below header should be treated by the UA the same as 
receipt of the above header (where both headers are received from

     Strict-Transport-Security: max-age=0

The intention is that receipt of an HSTS header field with "max-age=0" is 
treated the same regardless of the presence or absence of the includeSubDomains 
flag in the header field. The effect in both cases is to remove the entire entry 
for "" from the UA's HSTS host list.

In other words, the UA maintains HSTS information indexed by hostname, and must 
receive an STS header from a given host (over a secure connection) in order to 
create, update, or delete HSTS info about the given host.