How to Setup Secure Transport Security for WWW Redirect

If you are trying to configure Secure Transport Security headers for your ASP.Net web site then you need to be careful not to include subdomains unless you already have a wildcard SSL certificate or the certificate is issued to the www version of your domain. I found this out after adding Secure Transport Security to this website. After I did that the redirect from www to non www resulted in a privacy error in Google Chrome before the redirect could be processed.

I solved this simply by removing "includeSubDomains" from the Strict-Transport-Security value in my web.config file. The new value just includes max-age. This was not a problem on another site of mine where I had a wildcard SSL certificate. On that site www.site.com would be covered by a certificate issued to *.site.com but this site has a certificate issued to nolimitlist.com so a call to www.nolimitlist.com returns an invalid certificate. I wish I had gotten a wildcard because I intend to add subdomains in the future for geographic areas.

Conclusion

Buy a wildcard certificate or do not include subdomains in your Secure-Transport-Security value in your web.config file. Secure Transport Security is not really necessary if you build your site right anyway. Just make sure everything redirects to HTTPS and all of your links link to https URLs and the site will be HTTPS everywhere.