From a0966bd9a092fb14b65d4e7ce9a4a0f14be560e9 Mon Sep 17 00:00:00 2001
From: Josh Grossman <tghosth@users.noreply.github.com>
Date: Mon, 6 May 2024 18:11:08 +0300
Subject: [PATCH] Add a recommendation on the HSTS preload list to resolve
 #1941

---
 5.0/en/0x99-Appendix-X_Recommendations.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/5.0/en/0x99-Appendix-X_Recommendations.md b/5.0/en/0x99-Appendix-X_Recommendations.md
index b5fcc81ad8..05b2730c1d 100644
--- a/5.0/en/0x99-Appendix-X_Recommendations.md
+++ b/5.0/en/0x99-Appendix-X_Recommendations.md
@@ -14,6 +14,7 @@ The following items are in-scope for ASVS. We don't think they should be made ma
 * Create a publicly available security.txt file at the root or .well-known directory of the application that clearly defines a link or e-mail address for people to contact owners about security issues.
 * Client-side input validation should be enforced in addition to validation at a trusted service layer as this provides a good opportunity to discover when someone has bypassed client-side controls in an attempt to attack the application.
 * Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file, the X-Robots-Tag response header or a robots html meta tag.
+* Submit highly-sensitive applications to the HSTS preload list so that the use of TLS for the application will be built into the main browsers rather than relying on the relevant HTTP response header.
 
 ## Software Security processes