Currently, if LiquidFiles is set to only allow HTTPS access, it sets a Strict-Transport-Security HTTP header with a max-age of a year, but without the includeSubDomains flag. To avoid the risk of another site on a subdomain of the LF installation that doesn't send HSTS headers from potentially exposing cookies set on the LF domain over HTTP, it's recommended that HSTS headers should use the includeSubDomains flag where possible. I realise this brings some risk if it is incorrectly configured when sites on subdomains do not listen on HTTPS, so I'm not suggesting this be enabled by default. Perhaps it could be an option, alongside the "HTTP or HTTPS" settings, with a suitable "here be dragons" warning? I suspect for most installations, there won't be any subdomains under the LF installation (e.g. liquidfiles.example.com is unlikely to have criticalcorporatewebsite.liquidfiles.example.com exist and not also listening on HTTPS).