From 8aee9784882c26174a1664fe0ba6878f07c83c8a Mon Sep 17 00:00:00 2001
From: Sigurd Meldgaard <sigurdm@google.com>
Date: Mon, 3 Nov 2025 11:46:57 +0000
Subject: [PATCH] Use Strict-Transport-Security includeSubDomains; preload

---
 app/lib/shared/handler_helpers.dart          | 2 +-
 pkg/image_proxy/lib/image_proxy_service.dart | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/lib/shared/handler_helpers.dart b/app/lib/shared/handler_helpers.dart
index 26aa1fd07b..0b709cc813 100644
--- a/app/lib/shared/handler_helpers.dart
+++ b/app/lib/shared/handler_helpers.dart
@@ -274,7 +274,7 @@ shelf.Handler _httpsWrapper(shelf.Handler handler) {
       rs = rs.change(
         headers: {
           'strict-transport-security':
-              'max-age=${_hstsDuration.inSeconds}; preload',
+              'max-age=${_hstsDuration.inSeconds}; includeSubDomains; preload',
         },
       );
     }
diff --git a/pkg/image_proxy/lib/image_proxy_service.dart b/pkg/image_proxy/lib/image_proxy_service.dart
index d765efae78..aa66a947f0 100644
--- a/pkg/image_proxy/lib/image_proxy_service.dart
+++ b/pkg/image_proxy/lib/image_proxy_service.dart
@@ -30,7 +30,7 @@ Map<String, String> securityHeaders = {
   'X-Content-Type-Options': 'nosniff',
   'Content-Security-Policy':
       "default-src 'none'; img-src data:; style-src 'unsafe-inline'",
-  'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+  'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
 };
 
 /// Ensure that [allowedKeys] contains keys for today and the two surrounding