Without understanding, I had enabled
HSTS on amerkhalid.com with option
includeSubDomains. I had a subdomain that was used as “Custom Domain” to SmugMug site. After enabling HSTS, these subdomains started to throw
The fix is of course simple, don’t use
includeSubDomains. But that opens up your top level domain to man in middle attacks.
For now, I decided to follow the best practices and leave
includeSubDomains enabled. And decided to not use custom domain for my SmugMug site.