Use Strict-Transport-Security includeSubDomains; preload (#9050)

sigurdm · web-flow · commit 2faf5f175345 · 2025-11-06T09:49:22.000+01:00
diff --git a/app/lib/shared/handler_helpers.dart b/app/lib/shared/handler_helpers.dart
@@ -274,7 +274,7 @@ shelf.Handler _httpsWrapper(shelf.Handler handler) {
       rs = rs.change(
         headers: {
           'strict-transport-security':
-              'max-age=${_hstsDuration.inSeconds}; preload',
+              'max-age=${_hstsDuration.inSeconds}; includeSubDomains; preload',
         },
       );
     }
diff --git a/pkg/image_proxy/lib/image_proxy_service.dart b/pkg/image_proxy/lib/image_proxy_service.dart
@@ -30,7 +30,7 @@ Map<String, String> securityHeaders = {
   'X-Content-Type-Options': 'nosniff',
   'Content-Security-Policy':
       "default-src 'none'; img-src data:; style-src 'unsafe-inline'",
-  'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+  'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
 };
 
 /// Ensure that [allowedKeys] contains keys for today and the two surrounding

Original file line number	Diff line number	Diff line change
`@@ -274,7 +274,7 @@ shelf.Handler _httpsWrapper(shelf.Handler handler) {`
`274`	`274`	`rs = rs.change(`
`275`	`275`	`headers: {`
`276`	`276`	`'strict-transport-security':`
`277`		`- 'max-age=${_hstsDuration.inSeconds}; preload',`
	`277`	`+ 'max-age=${_hstsDuration.inSeconds}; includeSubDomains; preload',`
`278`	`278`	`},`
`279`	`279`	`);`
`280`	`280`	`}`