On Sat, 18 Jul 2015, at 12:14 PM, Florian Obser wrote: > OK? > > diff --git httpd.conf.5 httpd.conf.5 > index b3eaad8..bfca29f 100644 > --- httpd.conf.5 > +++ httpd.conf.5 > @@ -262,6 +262,18 @@ root directory of > .Xr httpd 8 > and defaults to > .Pa /run/slowcgi.sock . > +.It Ic hsts Oo Ar option Oc > +Enable HTTP Strict Transport Security. > +Valid options are: > +.Bl -tag -width Ds > +.It Ic max-age Ar seconds > +Set the maximum time in seconds a receiving user agent should regard > +this host as a HSTS host. > +The default is one year. > +.It Ic subdomains > +Signal to the receiving user agent that this host and all sub domains > +of the host's domain should be considered HSTS hosts. > +.El
There is a non-standard preload token that Google requires to get onto Chrome's HSTS preload list[0] which is also used by Firefox. Any chance of supporting this? Or is its omission a conscious decision? [0] https://hstspreload.appspot.com/
