id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
26947	Support appending the 'preload' directive to the HSTS header	Ed Morley	Ed Morley	"Django currently supports enabling the `Strict-Transport-Security` header, including specifying whether the `includeSubDomains` directive should be included within it:
https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-SECURE_HSTS_SECONDS
https://docs.djangoproject.com/en/1.9/ref/settings/#secure-hsts-include-subdomains

However there is currently no way to append the `preload` directive to that header, which is required to indicate that the site owner consents to the HSTS header being added to browser's pre-loaded list of sites that should only be accessed over HTTPS:
https://hstspreload.appspot.com/
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security#Preloading_Strict_Transport_Security
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet#Examples

I propose the addition of a new preference named `SECURE_HSTS_PRELOAD` that enables the directive, and behaves in a similar manner to defining `SECURE_HSTS_INCLUDE_SUBDOMAINS`.

I'll open a PR shortly :-)"	New feature	closed	HTTP handling	dev	Normal	fixed	hsts preload		Accepted	1	0	0	0	0	0