From a86a02c49b29d5b5a5d32eb8c6162960af1304d8 Mon Sep 17 00:00:00 2001
From: Scott Walkinshaw <scott.walkinshaw@gmail.com>
Date: Fri, 6 Jan 2017 19:35:04 -0500
Subject: [PATCH] Fix #727 - HSTS: default preload to off

The HSTS `preload` option defaulted to true. This turns it off by
default since the HSTS preload list should be opt-in as it also requires
a submission to https://hstspreload.org.
---
 CHANGELOG.md                  | 1 +
 roles/nginx/defaults/main.yml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 762001c30d..0606157d68 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,5 @@
 ### HEAD
+* [BREAKING] Fix #727 - HSTS: default preload to off ([#728](https://github.com/roots/trellis/pull/728))
 * `Vagrantfile`: add automatic support for landrush ([#724](https://github.com/roots/trellis/pull/724))
 * Suppress extra output in SSL certificates ([#723](https://github.com/roots/trellis/pull/723))
 * Fix #718 - improve method of updating theme paths ([#720](https://github.com/roots/trellis/pull/720))
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 0f63702625..a77ecfb80d 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -9,7 +9,7 @@ nginx_ssl_path: "{{ nginx_path }}/ssl"
 # HSTS defaults
 nginx_hsts_max_age: 31536000
 nginx_hsts_include_subdomains: true
-nginx_hsts_preload: true
+nginx_hsts_preload: false
 
 # Fastcgi cache params
 nginx_cache_path: /var/cache/nginx