From b8413bd37a4e0755660ffe88ec1bbefbfab089c5 Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@beeznest.org>
Date: Wed, 30 Aug 2023 10:26:40 +0200
Subject: [PATCH] Documentation: Update suggested default for HSTS (remove
 preload by default) and link to hstspreload.org - refs BT#20965

---
 main/install/configuration.dist.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index a1982c1647..181c3d3077 100644
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -577,9 +577,11 @@ ALTER TABLE sys_announcement ADD COLUMN visible_boss INT DEFAULT 0;
 // HTTP Strict Transport Security is an excellent feature to support on your
 // site and strengthens your implementation of TLS by getting the User Agent
 // to enforce the use of HTTPS. Recommended value
-// "strict-transport-security: max-age=63072000; includeSubDomains; preload".
+// "strict-transport-security: max-age=63072000; includeSubDomains".
 // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-//$_configuration['security_strict_transport'] = 'strict-transport-security: max-age=63072000; includeSubDomains; preload';
+// You can include the "preload" suffix, but this has consequences on the
+// top level domain (TLD), so probably not to be done lightly. See https://hstspreload.org/.
+//$_configuration['security_strict_transport'] = 'strict-transport-security: max-age=63072000; includeSubDomains';
 //
 // Content Security Policy is an effective measure to protect your site from
 // XSS attacks. By whitelisting sources of approved content, you can prevent