SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high Encryption

Subdomain SSL Coverage

Your main domain may have a perfect SSL certificate while subdomains like api., mail., or staging. run without HTTPS or with expired certificates. Each unprotected subdomain is a separate attack surface that can expose user data or serve as an entry point for attackers.

What SecurityStatus Checks

  • SSL certificate validity across discovered subdomains
  • Certificate expiry dates on each subdomain
  • Whether wildcard certificates properly cover all active subdomains
  • HTTP-only subdomains that lack any SSL configuration

Why This Matters

Subdomains are frequently forgotten after initial setup, especially staging, dev, and internal tooling subdomains. These often have weaker security configurations and may run older software. A compromise of even an internal subdomain can pivot to production systems.

How to Fix It

  1. 1

    Audit all active subdomains

    Use SecurityStatus subdomain discovery or tools like subfinder and amass to enumerate all active subdomains. Many organisations are surprised by how many they have forgotten.

  2. 2

    Issue certificates for each subdomain

    Either obtain individual certificates per subdomain or switch to a wildcard certificate (*.yourdomain.com) that covers all first-level subdomains. Let's Encrypt issues both types for free.

  3. 3

    Set up auto-renewal for all certificates

    Subdomain certificates are commonly forgotten during renewal cycles. Use a centralised certificate management solution like Certbot with a systemd timer, or a commercial service like Cloudflare, to auto-renew everything.

  4. 4

    Redirect HTTP to HTTPS on all subdomains

    Don't just install a certificate — also configure the HTTP to HTTPS redirect on each subdomain. Without the redirect, users can still access the insecure version.

Frequently Asked Questions

Does a wildcard certificate cover all subdomains?
A wildcard certificate (*.yourdomain.com) covers all first-level subdomains like app., api., mail. etc. It does NOT cover second-level subdomains like dev.api.yourdomain.com — those need separate certificates.
Should I remove unused subdomains or just leave them?
Remove them if they are not actively used. Abandoned subdomains with live DNS entries are a subdomain takeover risk even if they are not serving content.
How do I find all my subdomains?
SecurityStatus runs subdomain discovery as part of your scan. You can also check your DNS zone file, query Certificate Transparency logs at crt.sh, and use passive DNS tools.

Related Guides

critical SSL/TLS Certificate Read Guide high Subdomain Takeover Read Guide info Subdomain Discovery Read Guide

Check Your Domain Now

Run all 38 security checks including Subdomain SSL Coverage and get your domain's security grade in under 2 minutes.

Scan Your Domain Free