nixos/nginx: cautionary note about HSTS includeSubdomains

NixOS · Nov 23, 2024 · b4ecee7 · b4ecee7
1 parent 7c2fd91
commit b4ecee7
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@@ -264,6 +264,11 @@ with lib;
           that e.g. if the virtual host is `https://www.example.com` it also
           sets the HSTS policy for `https://sub.www.example.com`.
 
+          This can be especially helpful if you have rarely-visited subdomains
+          of a frequently-visited parent domain, but it can also be hazardous
+          since it can enable HSTS for a subdomain which doesn't actually
+          support HTTPS, which would make it fully inaccessible.
+
           ::: {.note}
           "Sibling" domains like https://mail.example.com are not affected.
           :::