Both the includeSubDomains and preload are dangerous options here; the first applies HSTS outside of the vhost where the header was added, and the second (eventually) puts you on the preload list such that if you ever do have a certificate problem, you really will never be able to access your site.
1 Like
That is the concern
So mitigate itâdonât add the preload directive. It doesnât need to be there, and at least right now, the common scanners donât penalize for it not being there.
1 Like