Every subdomain — mail, app, staging, api, or any other — needs its own valid HTTPS certificate and enforcement, since a subdomain is effectively a separate destination from your main site as far as browsers and search engines are concerned.
A forgotten subdomain running on plain HTTP or an expired certificate is both a real security gap and a visible, unprofessional warning for anyone who happens to visit it.
Every active subdomain loads over HTTPS with a valid certificate, and unused ones are decommissioned.
The Security Ring turns this into a real, permanent mission — mark it complete once you have genuinely done it.
Open this mission in H.I.V.E. →