Yeah the problem with
Strict-Transport-Security is that it's not a single on/off header, it contains optional parameters. If we generate that header from Flarum, it requires multiple setting fields.
Building that header from Flarum settings also impacts performance more than just putting it in the Apache/nginx header config.
Like rob says,
includeSubDomains could backfire, and so does
preload. No software should force the preload option upon a website, it has to be opt-in.
The https://httpoxy.org line is irrelevant for Flarum, it's useful to have in the Apache/nginx configuration, but it's in case outdated CGI scripts are enabled on the hosting. Flarum itself or its extension never contained that vulnerability so there's no reason filtering the header inside of Flarum's stack.
What we could do however is add the suggested headers as comments in the included
.htaccess file, similar to how we include the rules for non-public folder https://github.com/flarum/flarum/blob/master/public/.htaccess