diff --git a/docs/content/configuration.md b/docs/content/configuration.md
index 1dec4fdad..b17a0a711 100644
--- a/docs/content/configuration.md
+++ b/docs/content/configuration.md
@@ -78,12 +78,12 @@ these are rarely used for various reasons.
## Web security aspects
| config file | environment | **default** and example value | description |
-| ----------------------------- | ------------------------------ |-------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|-------------------------------|--------------------------------|-------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `hsts` | | `{"enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
| | `CMD_HSTS_ENABLE` | **`true`** or `false` | set to enable [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) if HTTPS is also enabled (default is ` true`) |
-| | `CMD_HSTS_INCLUDE_SUBDOMAINS` | **`true`** or `false` | set to include subdomains in HSTS (default is `true`) |
+| | `CMD_HSTS_INCLUDE_SUBDOMAINS` | **`true`** or `false` | set to include subdomains in HSTS (default is `false`) |
| | `CMD_HSTS_MAX_AGE` | **`31536000`**, `60 * 60 * 24 * 365` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
-| | `CMD_HSTS_PRELOAD` | **`true`** or `false` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
+| | `CMD_HSTS_PRELOAD` | `true` or **`false`** | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
| `csp` | | `{"enable": true, "addDefaults": true}` | Nested object to configure the Content Security Policy |
| `csp.enable` | `CMD_CSP_ENABLE` | **`true`** or `false` | Whether to apply a `Content-Security-Policy` header to responses. We don't recommend disabling this option, as it significantly reduces the security of the application. |
| `csp.addDefaults` | | **`true`** or `false` | Disable to not include the default CSP. Be careful, this will break the application if the correct directives are not set manually. |
@@ -95,7 +95,7 @@ these are rarely used for various reasons.
| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow embedding of the instance via iframe. We **strongly recommend disabling** this option, as it increases the attack surface of XSS attacks. |
| `csp.allowPDFEmbed` | `CMD_CSP_ALLOW_PDF_EMBED` | **`true`** or `false` | Disable to disallow embedding PDFs. We recommend disabling this option, as it increases the attack surface of XSS attacks. |
| `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. |
-| `rateLimitNewNotes` | `CMD_RATE_LIMIT_NEW_NOTES` | **`20`**, `0` or any positive number | Sets the maximum amount of new note creations per 5-minute window per user. Can be disabled by setting to `0`. |
+| `rateLimitNewNotes` | `CMD_RATE_LIMIT_NEW_NOTES` | **`20`**, `0` or any positive number | Sets the maximum amount of new note creations per 5-minute window per user. Can be disabled by setting to `0`. |
## Privacy and External Requests
diff --git a/lib/config/default.js b/lib/config/default.js
index 34c65c9c5..6fffd20d9 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -15,7 +15,7 @@ module.exports = {
enable: true,
maxAgeSeconds: 60 * 60 * 24 * 365,
includeSubdomains: true,
- preload: true
+ preload: false
},
csp: {
enable: true,
diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index ade8a1901..295fb4856 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -2,13 +2,18 @@
## 1.x.x UNRELEASED
-### Features
+This release changes the default configuration of the HSTS preload attribute to false for compliance with the
+HSTS preload list requirements. This shouldn't impact any instance. However, if you intend to use HSTS preloading
+you should enable the config setting `hsts.preload` or set environment variable `CMD_HSTS_PRELOAD=true`.
+
+### Enhancements
- Add fixed rate-limiting to the login and register endpoints
- Add configurable rate-limiting to the new notes endpoint
### Bugfixes
- Fix a crash when cannot read user profile in Oauth
- Fix CSP Header for mermaid embedded images ([#5887](https://github.com/hedgedoc/hedgedoc/pull/5887) by [@domrim](https://github.com/domrim))
+- Change default of HSTS preload to false for compliance with the HSTS preload list requirements
## 1.10.0 2024-09-01