From c08ee3edb2ac2a4029448fa9f4971722eb1d3566 Mon Sep 17 00:00:00 2001
From: r3g_5z <june@terezi.dev>
Date: Sat, 19 Nov 2022 23:48:49 -0500
Subject: [PATCH] Directly specify preload for Strict-Transport-Security

For most browsers, this is usually implied by the header itself,
however for HSTS to be effective you need to submit your root domain to
hstspreload.org. If "preload" is not in the header, it will reject your
domain.

Signed-off-by: r3g_5z <june@terezi.dev>
---
 docs/docs/installation/openbsd_en.md        | 2 +-
 lib/pleroma/web/plugs/http_security_plug.ex | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md
index 8b2c459dc..a62421ee4 100644
--- a/docs/docs/installation/openbsd_en.md
+++ b/docs/docs/installation/openbsd_en.md
@@ -167,7 +167,7 @@ http protocol plerup { # Protocol for upstream akkoma server
 	match response header append "Referrer-Policy" value "same-origin"
 	match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
 	match request header append "Connection" value "upgrade"
-	#match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains" # Uncomment this only after you get HTTPS working.
+	#match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains; preload" # Uncomment this only after you get HTTPS working.
 
 	# If you do not want remote frontends to be able to access your Akkoma backend server, comment these lines
 	match response header append "Access-Control-Allow-Origin" value "*"
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index 393ff58d3..9e76ebd84 100644
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -238,7 +238,7 @@ your instance and your users via malicious posts:
     max_age_sts = Config.get([:http_security, :sts_max_age])
 
     merge_resp_headers(conn, [
-      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"}
+      {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"}
     ])
   end