From 28d1beb8d968bc278ebbad70ada1e37a3db28917 Mon Sep 17 00:00:00 2001
From: Scott Walkinshaw <scott.walkinshaw@gmail.com>
Date: Wed, 20 Jul 2022 15:08:04 -0400
Subject: [PATCH] Disable HSTS includeSubdomains by default

Ref #741

This changes the default for HSTS' `includeSubdomains` value from `true`
to `false`. Previously a user visiting a WordPress site would result in
HSTS being enabled in their browser for _all_ subdomains of the site's
domain. Now HSTS will only apply to the hostnames activately managed by
Trellis in the `wordpress_sites.yml` config.

This is a safer default since subdomains can frequently exist without
SSL.
---
 roles/wordpress-setup/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml
index 4684d17a67..f03c2b010a 100644
--- a/roles/wordpress-setup/defaults/main.yml
+++ b/roles/wordpress-setup/defaults/main.yml
@@ -18,7 +18,7 @@ nginx_sites_confs:
 
 # HSTS defaults
 nginx_hsts_max_age: 31536000
-nginx_hsts_include_subdomains: true
+nginx_hsts_include_subdomains: false
 nginx_hsts_preload: false
 
 # HSTS helpers