1. 5

  2. 4

    It is of note that HSTS isn’t necessarily all about security; it can also be used to implement client tracking in a way that is not currently easy to defeat: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/

    1. 1

      Fun story: there are a couple of random web-sites which switched CAs, and one of my machines didn’t trust the new CA, so, my browser made it impossible to access those sites for 6 months to a year.

      If you don’t particularly care about people being able to access your site, then go ahead, and implement HSTS, and don’t be conservative, set max-age to 10 years, so that not only your own visitors who might stop trusting your CA won’t ever return, but that even if you abandon your domain, the next owner won’t have any of your visitors, either (that is, until they themselves join the https club through an appropriate CA).