diff --git a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
index 9c8a053ef..28e3d00a1 100644
--- a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@@ -92,6 +92,7 @@ public class WebServerSecurityConfig {
                     .build();
                 oauth2.authenticationManagerResolver(authManagerResolver);
             })
+            .headers(headerSpec -> headerSpec.hsts(hstsSpec -> hstsSpec.includeSubdomains(false)))
         ;
 
         // Integrate with other configurers separately
@@ -126,6 +127,7 @@ public class WebServerSecurityConfig {
                         haloProperties.getSecurity().getReferrerOptions().getPolicy());
                 })
                 .cache(ServerHttpSecurity.HeaderSpec.CacheSpec::disable)
+                .hsts(hstsSpec -> hstsSpec.includeSubdomains(false))
             )
             .anonymous(spec -> spec.authenticationFilter(
                 new HaloAnonymousAuthenticationWebFilter("portal", AnonymousUserConst.PRINCIPAL,
diff --git a/application/src/test/java/run/halo/app/config/SecurityConfigTest.java b/application/src/test/java/run/halo/app/config/SecurityConfigTest.java
new file mode 100644
index 000000000..2c7257ccd
--- /dev/null
+++ b/application/src/test/java/run/halo/app/config/SecurityConfigTest.java
@@ -0,0 +1,39 @@
+package run.halo.app.config;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.springframework.security.web.server.header.StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+@SpringBootTest
+@AutoConfigureWebTestClient
+class SecurityConfigTest {
+
+    @Autowired
+    WebTestClient webClient;
+
+    @Test
+    void shouldNotIncludeSubdomainForHstsHeader() {
+        webClient.get()
+            .uri(builder -> builder.scheme("https").path("/fake").build())
+            .accept(MediaType.TEXT_HTML)
+            .exchange()
+            .expectHeader()
+            .value(STRICT_TRANSPORT_SECURITY,
+                hsts -> assertFalse(hsts.contains("includeSubDomains")));
+
+        webClient.get()
+            .uri(builder -> builder.scheme("https").path("/apis/fake").build())
+            .accept(MediaType.APPLICATION_JSON)
+            .exchange()
+            .expectHeader()
+            .value(STRICT_TRANSPORT_SECURITY,
+                hsts -> assertFalse(hsts.contains("includeSubDomains")));
+    }
+
+}