diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index f1b2678b0d..9edc2aaade 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -661,6 +661,7 @@
     sslonly: true
     cert_name: "{{wildcard_cert_name}}"
     SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert
+    stssubdomains: false
     tags:
     - id.fedoraproject.org
 
@@ -670,6 +671,7 @@
     - "*.id.fedoraproject.org"
     # Must not be sslonly, because example.id.fedoraproject.org must be reachable
     # via plain http for openid identity support
+    sslonly: false
     cert_name: wildcard-2017.id.fedoraproject.org
     SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert
     tags:
diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml
index 8ad299dd7a..3bc85e5b70 100644
--- a/roles/httpd/website/defaults/main.yml
+++ b/roles/httpd/website/defaults/main.yml
@@ -9,3 +9,4 @@ ssl: true
 sslonly: false
 SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
 gzip: false
+stssubdomains: true
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index f66c349295..81a476b5a5 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -55,7 +55,7 @@
   SSLCipherSuite {{ ssl_ciphers }}
 
 {% if sslonly %}
-  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
+  Header always add Strict-Transport-Security "max-age=15768000; {% if stssubdomains %}includeSubDomains; {% endif %}preload"
 {% endif %}
   Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>