----- Original Message ----- > There is a non-standard preload token that Google requires to get onto > Chrome's HSTS preload list[0] which is also used by Firefox. Any chance > of supporting this? Or is its omission a conscious decision? > > > [0] https://hstspreload.appspot.com/ > >
FWIW, from my experience, the preload token presence is not yet enforced. Having "Strict-Transport-Security: max-age=31536000; includeSubDomains" is just enough. -- Marco Bonetti