I have enable HSTS on Edge Certificates section.
I want to have HSTS on root domain com and subdomain www available for inclusion on Chrome’s HTTP Strict Transport Security (HSTS) preload list.
I have added rule to NGINX to enable HSTS for subdomain www as well.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
However for the SEO purposes my prime canonical address which user are redirected to is https:// www. yyy. com
My question is how to comply with HSTS preload status and eligibility while keeping my canonical URL.
In order to be accepted to the HSTS preload list the site must satisfy the following set of requirements:
Serve a valid certificate.
Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
Serve all subdomains over HTTPS.
In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
Serve an HSTS header on the base domain for HTTPS requests:
The max-age must be at least 31536000 seconds (1 year).
The includeSubDomains directive must be specified.
The preload directive must be specified.
If serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).