# Browser looking for https on subdomains not pointed at website

**URL:** https://discourse.roots.io/t/browser-looking-for-https-on-subdomains-not-pointed-at-website/8244
**Category:** general
**Created:** 2016-12-01T21:09:33Z
**Posts:** 3
**Showing post:** 2 of 3

## Post 2 by @fullyint — 2016-12-01T21:21:56Z

I haven’t looked into this, but I recall the thread below, which might help.

> [@LetsEncrypt Subdomain wildcard?](https://discourse.roots.io/t/letsencrypt-subdomain-wildcard/7379/4):
>
> Looks like that’s [HSTS](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) in action.
> 
> You’ll need to set `nginx_hsts_include_subdomains: false` in `group_vars/all/main.yml`.
> 
> It’s generally better security to set it which is why its our default. Why not just enable SSL though?

---

_[View the full topic](https://discourse.roots.io/t/browser-looking-for-https-on-subdomains-not-pointed-at-website/8244)._