I was asked by our compliance team at work to add 'includeSubDomains' to the Strict-Transport-Security header for our site. So I added the entry below (top one) to our .NET site's web config. But when I did that, I see another Strict-Transport-Security entry (2nd one below) with only the max-age and a bigger value.
Strict-Transport-Security:max-age=31536000; includeSubDomainsStrict-Transport-Security:max-age=157680000My questions are:
- Which one would the browsers obey? (I'm hoping the one with the includeSubDomains)
- Is there a way to remove the second one and how is it set? My site is hosted in IIS 10 and I checked in the HTTP headers configuration and don't see where the 2nd one is set, only the top one is set there.
I googled around for dup headers to see what they say about this but can't find anything on my particular situation or how to remove it.