we have activated HTTP Strict Transport Security in production. It works well. But now, when wanting to use a subdomain to develop, the website is automatically redirected to https:

https://dev.tokeeen.com/app_dev.php/my-habits

Event if the host is set to 127.0.0.1

127.0.0.1    dev.tokeeen.com

Is there something to avoid this behavior? Of course I don't want to force the host for the main domain.

You are currently setting this on your main site:

Strict-Transport-Security   max-age=63072000; includeSubDomain

If you change this to remove the includeSubDomain bit then it will only apply to your top level domain and not the dev sub domain:

Strict-Transport-Security   max-age=63072000;

You then need to visit your production site to load this header and overwrite the existing one in your browser’s cache.

However this is less secure (for example someone could set up www.tokeeen.com and pretend to be your site with a bit of DNS manipulation for example).

But to be honest you should just use https on you’re dev site. The Internet is moving towards HTTPS and many new features do not work under plain HTTP. Additionally what you are developing is not similar to your production site so if you include http:// links instead of https:// for example you’ll suddenly see this failing when you release to production.

You look to use LetsEncrypt on your site so the cert is free. Do yourself a favour and just get another free one for your dev subdomain.

You have to get yourself a wildcard certificate as the ssl certificate is only for that domain. That's the whole point of having a secure site.

I'm not sure what server system you are using but in case you don't want to use wildcards and are ok with less secure, you can bind the other domains to port 80 with the binding type http`