The "security.strict-transport-security" option does not behave as expected (as of ec12b710aac0d7f4d6c3bad0f1a8993e7f2d0f84 in phabricator).
When this option is turned off, I am still getting a Strict-Transport-Security header, which looks like this:
Strict-Transport-Security: max-age=0; includeSubdomains; preload
When I toggle that option on, I get:
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Toggling it to false returns me to the first header (max-age=0).
When the option is false I expect phabricator to not send a header at all.