* [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**)
* [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**)
* `Public-Key-Pins: max-age=3005184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";` * Start with max-age set to 5 minutes (`max-age=300`) and increase graduallyprogressively * Pin to the The first two pins are for Digicert EV and DV roots of Digicert, the last two are for Let's Encrypt X3 and X4 intermediates (LE is only used for backup)
* [ ] If the service is not hosted under `services.mozilla.com`, it must be manually added to [Firefox's preloaded pins](https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#184).
* If service has an admin panels, it must: