0ccf0fbf1c
**HSTS Preloading:** In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` **X-Xss-Protection:** `1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.