[ivanr]

Well, it depends. You shouldn't include subdomains if you have some that do not support HTTPS. That would be an instant self-inflicted denial of service attack.

However, for best security, you must include subdomains. Because the cookie specification is very lax, any subdomain can inject cookies into your otherwise protected (with TLS and HSTS) site. This injection, which will be seen as unexpected by developers, might be used as an attack vector. Note that, even if you don't have any subdomains, a MITM -- who controls the wire and thus the DNS -- can always make up arbitrary names and then inject from them. There are other smaller attack vectors that can be abused unless the entire domain name (e.g., example.com) is under HSTS.