From 4a99ac554824cde8be34cc173abc7cf1ef69dd7a Mon Sep 17 00:00:00 2001
From: Jason Wilder <jwilder@litl.com>
Date: Sat, 28 Feb 2015 15:50:59 -0700
Subject: [PATCH] Remove includeSubdomains from HSTS header

includeSubdomains can lead to issues where not all subdomains are
able to use HTTPS.  This options might be too strict for the general
case: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.
It can be re-enabled w/ a custom template if needed.

Fixes #109
---
 nginx.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx.tmpl b/nginx.tmpl
index fdb319c..446ec31 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -105,7 +105,7 @@ server {
 	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
 	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
 
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
+	add_header Strict-Transport-Security "max-age=31536000";
 
 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
 	include {{ printf "/etc/nginx/vhost.d/%s" $host }};