diff --git a/h5bp/directive-only/ssl.conf b/h5bp/directive-only/ssl.conf
index a4da1c4..bc392b4 100644
--- a/h5bp/directive-only/ssl.conf
+++ b/h5bp/directive-only/ssl.conf
@@ -31,7 +31,7 @@ ssl_session_timeout  24h;
 keepalive_timeout 300; # up from 75 secs default
 
 # remember the certificate for a year and automatically connect to HTTPS
-add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
+add_header Strict-Transport-Security max-age=31536000;
 
 # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
 # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.