Security: Use HSTS preload

[delisma]

Describe the bug
Add our site to the HSTS preload list so HSTS is active for our site in browsers by default. Our HSTS policy is only active in a browser after that browser sees a response from our site with an HSTS response header. This means new visitors will be vulnerable to exploits if they initially visit our site using an insecure HTTP URL. To eliminate this attack vector, add site to the "HSTS preload list" so browsers will apply HSTS to a site by default even before a first visit. To add our site to the list, our Strict-Transport-Security header for all responses on all subdomains should have a max-age setting of at least 1 year (31,536,000 seconds) and both the includeSubDomains and preload options should be set. The header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload meets these requirements. Take care to get the capitalisation right for each option such as for includeSubDomains.

To Reproduce
Preload set: None
Include subdomains: None
HSTS expiry: 31,536,000

Expected behavior
Once this is done, we can submit our site to https://hstspreload.org/ for inclusion in the HSTS preload list. Warning: As with enabling HSTS, we must be confident we won't need to disable HTTPS in the future. Removing ourself from the HSTS preload list may take some time and browsers might not keep their list up to date.