Add a recommendation on the HSTS preload list to resolve #1941

5.0/en/0x99-Appendix-X_Recommendations.md

@@ -14,6 +14,7 @@ The following items are in-scope for ASVS. We don't think they should be made ma
 * Create a publicly available security.txt file at the root or .well-known directory of the application that clearly defines a link or e-mail address for people to contact owners about security issues.
 * Client-side input validation should be enforced in addition to validation at a trusted service layer as this provides a good opportunity to discover when someone has bypassed client-side controls in an attempt to attack the application.
 * Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file, the X-Robots-Tag response header or a robots html meta tag.
+* Use the HSTS preload list so that the use of TLS for the application will be built into the main browsers rather than only relying on the relevant HTTP response header.
 
 ## Software Security processes