HSTS should not include preload directive #2269

ruffy91 · 2025-10-14T19:45:17Z

ruffy91
Oct 14, 2025

Is it possible to disable the including of the preload and includeSubDomains directives when enabling HSTS?

A default HSTS policy should never include the preload directive, as this will allow anyone to submit a donmain to https://hstspreload.org/ which will include the domain in future browser versions as a hardcoded list.
It is very cumbersome and can take months to get a domain off this list.

Because of this https://hstspreload.org/ recommends to not include preload in any default HSTS setting.

Answered by mdecimus

Oct 23, 2025

Thanks, fixed.

View full answer

mdecimus · 2025-10-23T14:39:07Z

mdecimus
Oct 23, 2025
Maintainer

Thanks, fixed.

1 reply

ruffy91 Oct 25, 2025
Author

Thank you. I really appreciate this project. it allows me to host my and my family email myself

TommyTran732 · 2025-10-26T20:06:37Z

TommyTran732
Oct 26, 2025

Is there a way to include this directive without needing a reverse proxy? I will never run anything without HTTPS so it would be nice to have an option to add this back

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Uh oh!

HSTS should not include preload directive #2269

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Uh oh!

HSTS should not include preload directive #2269

Uh oh!

ruffy91 Oct 14, 2025

Replies: 2 comments · 1 reply

Uh oh!

mdecimus Oct 23, 2025 Maintainer

Uh oh!

ruffy91 Oct 25, 2025 Author

Uh oh!

TommyTran732 Oct 26, 2025

ruffy91
Oct 14, 2025

Replies: 2 comments 1 reply

mdecimus
Oct 23, 2025
Maintainer

ruffy91 Oct 25, 2025
Author

TommyTran732
Oct 26, 2025