From b0627444f066690c88d12b537253bbeb3fd5fca8 Mon Sep 17 00:00:00 2001
From: Ainar Garipov <a.garipov@adguard.com>
Date: Wed, 30 Aug 2023 18:57:47 +0300
Subject: [PATCH] Pull request 181: 2998-hsts

Squashed commit of the following:

commit 33f2a2f08b43dfe700703ad65e3d7a5b29bea309
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Aug 30 18:50:06 2023 +0300

    Encryption: imp hsts doc

commit 2d5f3155eb2d55a5654e3ba45872152175cedf76
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Wed Aug 30 18:38:42 2023 +0300

    Configuration: HSTS
---
 Configuration.md | 16 ++++++++++------
 Encryption.md    |  7 ++++---
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/Configuration.md b/Configuration.md
index 51105bd..e443f78 100644
--- a/Configuration.md
+++ b/Configuration.md
@@ -651,6 +651,9 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
 
     Must match one of the DNS Names in the certificate.
   - `force_https`: If `true`, force HTTP-to-HTTPS redirect.
+
+     **Since v0.107.37,** this setting also sets the
+     [`Strict-Transport-Security`][hsts] header.
   - `port_https`: The HTTPS port.  Used for both web UI and DNS-over-HTTPS.  If
     `0`, HTTPS is disabled.
   - `port_dns_over_tls`: The DNS-over-TLS port.  If `0`, DNS-over-TLS is
@@ -718,13 +721,14 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
 
 Removing an entry from settings file will reset it to the default value. Deleting the file will reset all settings to the default values.
 
-[DHCP]: https://github.com/AdguardTeam/AdGuardHome/wiki/DHCP
-[DNSCrypt]: https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
+[DDR]:         https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
+[DHCP]:        https://github.com/AdguardTeam/AdGuardHome/wiki/DHCP
+[DNSCrypt]:    https://github.com/AdguardTeam/AdGuardHome/wiki/DNSCrypt
+[`dnscrypt`]:  https://github.com/ameshkov/dnscrypt
 [docker-conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Docker#configuration
-[`dnscrypt`]: https://github.com/ameshkov/dnscrypt
-[DDR]: https://www.ietf.org/archive/id/draft-ietf-add-ddr-06.html
-[tls-names]: https://pkg.go.dev/crypto/tls#pkg-constants
-[rfc6147]: https://datatracker.ietf.org/doc/html/rfc6147
+[hsts]:        https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+[rfc6147]:     https://datatracker.ietf.org/doc/html/rfc6147
+[tls-names]:   https://pkg.go.dev/crypto/tls#pkg-constants
 
 
 
diff --git a/Encryption.md b/Encryption.md
index 902062b..e7cc431 100644
--- a/Encryption.md
+++ b/Encryption.md
@@ -217,13 +217,14 @@ Other HTTP headers may be supported by AdGuard Home in the future.  However, any
 headers-related feature requests should first be tried to be resolved by
 configuring the reverse proxy itself.
 
-For example, to implement the [HTTP Strict Transport Security][hsts] mechanism,
-something like the following piece of configuration might be used:
+For example, to modify the [HTTP Strict Transport Security][hsts] mechanism to
+include the experimental `preload` directive, something like the following piece
+of configuration might be used:
 
 ```nginx
 location /dns-query {
    # …
-   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    # …
 }
 ```