Why does Kuroco not include includeSubDomains in the Strict-Transport-Security (HSTS) header?
Overview of HSTS and includeSubDomains
HSTS (HTTP Strict Transport Security) is a security header that instructs browsers to always use HTTPS when connecting to a domain.
Strict-Transport-Security: max-age=31536000
Adding the includeSubDomains directive extends the HSTS policy to all subdomains of that domain.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Why Kuroco does not include includeSubDomains
Kuroco intentionally omits includeSubDomains from the HSTS header.
Custom domains in Kuroco and their scope of impact
Kuroco allows customers to assign their own custom domains to Kuroco's frontend and API. In this case, Kuroco only manages a portion of that domain (such as the frontend or API subdomains), while other subdomains under the same domain are typically operated by the customer using different services or servers.
When includeSubDomains is present, the browser enforces HTTPS for all subdomains under the domain. However, when a custom domain is used, not all subdomains are necessarily managed by Kuroco.
For example, if the customer's custom domain example.com is used with Kuroco:
| Subdomain | Purpose | Managed by |
|---|---|---|
www.example.com | Kuroco frontend | Kuroco |
api.example.com | Kuroco API | Kuroco |
internal.example.com | Internal tool | Your own server |
legacy.example.com | Legacy system | Third-party service |
If includeSubDomains is enabled, HTTPS would also be forced on internal.example.com and legacy.example.com, which are outside Kuroco's control.
Since Kuroco operates on a portion of the customer's domain, it would be inappropriate for Kuroco to unilaterally apply a security policy that affects the customer's entire domain.
Potential risks
- Inaccessible subdomains: If a subdomain only supports HTTP, the browser's forced HTTPS connection will fail, making the subdomain inaccessible.
- Certificate mismatch errors: If a subdomain does not have a valid TLS certificate, the browser will display a security error.
- Difficult recovery: HSTS is cached by the browser, making it difficult for users to override during the
max-ageperiod once applied.
Kuroco's approach
Kuroco manages HSTS with the following policy:
- HSTS header is applied: HSTS is active for domains managed by Kuroco.
- includeSubDomains is not applied: This is intentionally omitted to avoid affecting subdomains outside Kuroco's management scope.
- Limited scope of impact: Security policies are applied only within the scope that Kuroco can be responsible for.
If a vulnerability assessment flags the missing includeSubDomains
If a vulnerability assessment reports the absence of includeSubDomains in the HSTS header, you can provide the following explanation:
"This system uses Kuroco, a headless CMS. Kuroco allows customers to use their own custom domains, and other subdomains under the same domain may be operated by services other than Kuroco. If includeSubDomains were applied, HTTPS would be forced on those non-Kuroco subdomains, potentially causing unintended access disruptions. Therefore, Kuroco intentionally limits the scope of HSTS to only the domains it manages and does not include includeSubDomains. HSTS is applied to the domains managed by Kuroco, ensuring that HTTPS communication is enforced."
If the above explanation is insufficient or additional evidence is required, please contact our support team.
Related documentation
Support
If you have any other questions, please contact us or check out Our Slack Community.