Home / Security / Confirm all subdomains are secured with HTTPS and valid certs
Transport Security · Security Ring

Confirm all subdomains are secured with HTTPS and valid certs

30-45 min Impact: medium Effort: medium ✓ Manual completion

Every subdomain — mail, app, staging, api, or any other — needs its own valid HTTPS certificate and enforcement, since a subdomain is effectively a separate destination from your main site as far as browsers and search engines are concerned.

A forgotten subdomain running on plain HTTP or an expired certificate is both a real security gap and a visible, unprofessional warning for anyone who happens to visit it.

How to do it

  1. 1
    List every subdomain you actually have
    Check your DNS records for every A, AAAA, or CNAME record pointing anywhere, not just the ones you remember actively using.
  2. 2
    Visit each one directly and check for certificate warnings
    Confirm each loads over HTTPS with a valid, trusted certificate.
  3. 3
    Fix or decommission anything broken
    Either properly secure a subdomain you are still using, or remove the DNS record entirely for one you are not.
  4. 4
    Consider a wildcard certificate
    Covers all current and future subdomains automatically, simplifying ongoing management.

Common mistakes

How you will know it is done

Every active subdomain loads over HTTPS with a valid certificate, and unused ones are decommissioned.

Track this in your hive

The Security Ring turns this into a real, permanent mission — mark it complete once you have genuinely done it.

Open this mission in H.I.V.E. →