README.md in secure_headers-3.6.0 vs README.md in secure_headers-3.6.1

- old
+ new

@@ -60,11 +60,12 @@
     httponly: true, # mark all cookies as "HttpOnly"
     samesite: {
       lax: true # mark all cookies as SameSite=lax
     }
   }
-  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains; preload"
+  # Add "; preload" and submit the site to hstspreload.org for best protection.
+  config.hsts = "max-age=#{20.years.to_i}; includeSubdomains"
   config.x_frame_options = "DENY"
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = "1; mode=block"
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
@@ -154,9 +155,10 @@
 * Python - [django-csp](https://github.com/mozilla/django-csp) + [commonware](https://github.com/jsocol/commonware/); [django-security](https://github.com/sdelements/django-security)
 * Go - [secureheader](https://github.com/kr/secureheader)
 * Elixir [secure_headers](https://github.com/anotherhale/secure_headers)
 * Dropwizard [dropwizard-web-security](https://github.com/palantir/dropwizard-web-security)
 * Ember.js [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy/)
+* PHP [secure-headers](https://github.com/BePsvPT/secure-headers)
 
 ## License
 
 Copyright 2013-2014 Twitter, Inc and other contributors.
 