From 5525eebf2bcc174917e7b84f14f6af68c6c6ca84 Mon Sep 17 00:00:00 2001
From: Daniel Marquard <daniel@marquardholdings.com>
Date: Tue, 14 Oct 2014 00:16:22 -0400
Subject: [PATCH 1/2] Removed "includeSubDomains"

As a best practice, Nginx should only direct clients to use the certificate on specified domains. This is because not all servers using other subdomains necessarily listen on 443 and because, unless it is a wildcard certificate, it likely won't be valid on subdomains other than WWW.
---
 h5bp/directive-only/ssl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/h5bp/directive-only/ssl.conf b/h5bp/directive-only/ssl.conf
index a4da1c4..bc392b4 100644
--- a/h5bp/directive-only/ssl.conf
+++ b/h5bp/directive-only/ssl.conf
@@ -31,7 +31,7 @@ ssl_session_timeout  24h;
 keepalive_timeout 300; # up from 75 secs default
 
 # remember the certificate for a year and automatically connect to HTTPS
-add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
+add_header Strict-Transport-Security max-age=31536000;
 
 # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
 # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.

From 99cdb58475e2761cd58e1daedc21b946d83966cd Mon Sep 17 00:00:00 2001
From: Daniel Marquard <daniel@marquardholdings.com>
Date: Thu, 16 Oct 2014 05:40:48 -0400
Subject: [PATCH 2/2] HSTS off by default

Consensus to disable HSTS by default.
---
 h5bp/directive-only/ssl.conf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/h5bp/directive-only/ssl.conf b/h5bp/directive-only/ssl.conf
index bc392b4..25c6c61 100644
--- a/h5bp/directive-only/ssl.conf
+++ b/h5bp/directive-only/ssl.conf
@@ -30,8 +30,9 @@ ssl_session_timeout  24h;
 # Use a higher keepalive timeout to reduce the need for repeated handshakes
 keepalive_timeout 300; # up from 75 secs default
 
-# remember the certificate for a year and automatically connect to HTTPS
-add_header Strict-Transport-Security max-age=31536000;
+# HSTS (HTTP Strict Transport Security)
+# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
+#add_header Strict-Transport-Security max-age=31536000;
 
 # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
 # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.