header ?Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
header +Content-Security-Policy upgrade-insecure-requests;