HSTS on domain and www subdomain


I have enable HSTS on Edge Certificates section.

I want to have HSTS on root domain com and subdomain www available for inclusion on Chrome’s HTTP Strict Transport Security (HSTS) preload list.

I have added rule to NGINX to enable HSTS for subdomain www as well.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

However for the SEO purposes my prime canonical address which user are redirected to is https:// www. yyy. com

My question is how to comply with HSTS preload status and eligibility while keeping my canonical URL.

In order to be accepted to the HSTS preload list the site must satisfy the following set of requirements:

Serve a valid certificate.
Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
Serve all subdomains over HTTPS.
In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
Serve an HSTS header on the base domain for HTTPS requests:
The max-age must be at least 31536000 seconds (1 year).
The includeSubDomains directive must be specified.
The preload directive must be specified.
If serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

Did you enable “Always Use HTTPS” in the Edge Certificates section? That should fix the first error.

No, I haven’t enabled Always Use HTTPS” in the Edge Certificates section because
I force HTTPS on my server. I redirect all visitors so that they visit my site through HTTPS on my origin server.

I have enabled Always Use HTTPS in the Edge Certificates section and now my domain is eligible for the HSTS preload list.

Can you please let me know how to create page rule for redirect 301 from https:// domain to https:// www subdomain.

https://xyz.com/* -> https://www.xyz.com/*

This topic was automatically closed after 30 days. New replies are no longer allowed.