Trying to find the answer and the spec doesn't actually seem to help.
The spec for HSTS says the following about the includeSubdomains flag:
includeSubDomains is a flag which, if present, signals to the UA that
the HSTS Policy applies to this HSTS Server as well
as any subdomains of the server's FQDN.
All the examples I've seen assume that the request goes to e.g. example.com (with no subdomain specified), so returning includeSubdomains will then make it apply to www.example.com, api.example.com etc. as well as to example.com.
Two questions:
If I return an HSTS header with includeSubdomains to a request to www.example.com, will it then apply to www.example.com and all other subdomains? It sounds like it does. Does it also apply to the top-level example.com?
If I return the HSTS header in a request to www.example.com and I don't include the includeSubdomains flag, will the HSTS header apply only to www.example.com, or will it also apply to example.com?
For instance, could I return one HSTS header for requests to www.example.com and another HSTS header (perhaps with a different max-age value) to api.example.com? If I returna header to requests to example.com which has includeSubdomains specified, what takes priority - the subdomain-specific HSTS header or the global header?
If I return an HSTS header with includeSubdomains to a request to www.example.com, will it then apply to www.example.com and all other subdomains? It sounds like it does. Does it also apply to the top-level example.com?
No, it will apply to all sub domains of the domain it’s set for. For example sub.www.example.com. It will NOT apply to any sibling domains (e.g. api.example.com), nor the parent domain (example.com). The includeSubdomains flag is for going further down - not for going back up, or sideways.
For that reason many sites recommend loading something from the top level domain to pick up the top level HSTS policy (s.g. https://example.com/pixel.png) and so protect the whole site including sibling domains. This works even if the request 301s to the www variant (https://example.com/pixel.png) — if the 301 includes the HSTS header, as that’s enough for the browser to see the top level policy.
If I return the HSTS header in a request to www.example.com and I don't include the
includeSubdomainsflag, will the HSTS header apply only to www.example.com, or will it also apply to example.com?
Any HSTS header for www.example.com has no impact on example.com. It only applies for the www domain (and potentially sub domains depending on the presence only the includeSubdomains header).
For instance, could I return one HSTS header for requests to www.example.com and another HSTS header (perhaps with a different max-age value) to api.example.com?
Yup they are completely independent.
If I returna header to requests to example.com which has includeSubdomains specified, what takes priority - the subdomain-specific HSTS header or the global header?
The sub domain specific one takes priority. However if the sub domain specific one expires without being reset, then it no longer exists, so the base level domain policy then kicks into place.
