diff --git a/templates/nginx/common/headers-html.conf b/templates/nginx/common/headers-html.conf
index da64686..539cca4 100644
--- a/templates/nginx/common/headers-html.conf
+++ b/templates/nginx/common/headers-html.conf
@@ -1,3 +1,6 @@
add_header Cache-Control "public, no-cache";
add_header Referrer-Policy "unsafe-url";
+
+# The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.
+# https://content-security-policy.com/
#add_header Content-Security-Policy " ";
diff --git a/templates/nginx/common/headers-https.conf b/templates/nginx/common/headers-https.conf
index 157a48e..70efc70 100644
--- a/templates/nginx/common/headers-https.conf
+++ b/templates/nginx/common/headers-https.conf
@@ -1,2 +1,5 @@
+# Be aware that inclusion in the preload list cannot easily be undone.
+# Don't request inclusion unless you're sure that you can support HTTPS for your entire site and all its subdomains the long term.
+# https://hstspreload.org/
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Strict-Transport-Security "max-age=31536000";