Directly specify preload for Strict-Transport-Security

For most browsers, this is usually implied by the header itself,
however for HSTS to be effective you need to submit your root domain to
hstspreload.org. If "preload" is not in the header, it will reject your
domain.

Signed-off-by: r3g_5z <june@terezi.dev>

docs/docs/installation/openbsd_en.md

@@ -167,7 +167,7 @@ http protocol plerup { # Protocol for upstream akkoma server
 	match response header append "Referrer-Policy" value "same-origin"
 	match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
 	match request header append "Connection" value "upgrade"
-	#match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains" # Uncomment this only after you get HTTPS working.
+	#match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains; preload" # Uncomment this only after you get HTTPS working.
 
 	# If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines
 	match response header append "Access-Control-Allow-Origin" value "*"

lib/pleroma/web/plugs/http_security_plug.ex

@@ -238,7 +238,7 @@ defp maybe_send_sts_header(conn, true) do
     max_age_sts = Config.get([:http_security, :sts_max_age])
 
     merge_resp_headers(conn, [
-      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"}
+      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"}
     ])
   end