Don't include `preload` flag in sample HSTS header

This goes against the recommendations (preloading should be opt-in). Putting it in the example makes it likely that people enable it without knowing what it means.

https://hstspreload.org/?domain=peertube.social#opt-in

diff --git a/support/nginx/peertube b/support/nginx/peertube
index 5d97c0cf1b2c474cffa1ef8114bafe6676eb05ee..0da427037bd720235899aa35d0a43f5a60fe61fa 100644 (file)
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -48,7 +48,7 @@ server {
   # Tells browsers to stick with HTTPS and never visit the insecure HTTP
   # version. Once a browser sees this header, it will only visit the site over
   # HTTPS for the next 2 years: (read more on hstspreload.org)
-  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 
   access_log /var/log/nginx/peertube.example.com.access.log;
   error_log /var/log/nginx/peertube.example.com.error.log;