From ffaf884570664c681a85483245b4ae190dcf7496 Mon Sep 17 00:00:00 2001
From: James Hilliard <james.hilliard1@gmail.com>
Date: Sat, 9 Apr 2016 15:07:28 -0500
Subject: [PATCH 1/2] add HSTS preload requirement for wallets

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b9a23d9e..2e9ae89a 100644
--- a/README.md
+++ b/README.md
@@ -719,7 +719,7 @@ Basic requirements:
 - No concerning bug is found when testing the wallet
 - Website supports HTTPS and 301 redirects HTTP requests
 - SSL certificate passes [Qualys SSL Labs SSL test](https://www.ssllabs.com/ssltest/)
-- Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days
+- Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days and is included in the [HSTS preload list](https://hstspreload.appspot.com/)
 - The identity of CEOs and/or developers is public
 - Avoid address reuse by using a new change address for each transaction
 - If private keys or encryption keys are stored online:

From 8d91bb76a96b2b641fc5190977108b5ff4f6d185 Mon Sep 17 00:00:00 2001
From: James Hilliard <james.hilliard1@gmail.com>
Date: Fri, 16 Dec 2016 02:44:32 -0600
Subject: [PATCH 2/2] Make HSTS preloading optional

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2e9ae89a..44217f7a 100644
--- a/README.md
+++ b/README.md
@@ -719,7 +719,7 @@ Basic requirements:
 - No concerning bug is found when testing the wallet
 - Website supports HTTPS and 301 redirects HTTP requests
 - SSL certificate passes [Qualys SSL Labs SSL test](https://www.ssllabs.com/ssltest/)
-- Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days and is included in the [HSTS preload list](https://hstspreload.appspot.com/)
+- Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days
 - The identity of CEOs and/or developers is public
 - Avoid address reuse by using a new change address for each transaction
 - If private keys or encryption keys are stored online:
@@ -751,6 +751,7 @@ Optional criteria (some could become requirements):
 - Does not show "received from" Bitcoin addresses in the UI
 - Uses deterministic ECDSA nonces (RFC 6979)
 - Provides a bug reporting policy on the website
+- Website serving executable code or requiring authentication is included in the [HSTS preload list](https://hstspreload.appspot.com/)
 - If user has no access over its private keys:
   - Full reserve audit(s)
   - Insurance(s) against failures on their side