Adding HSTS header breaks HSTS if apache/nginx globally adds a header
I am using a common SSL configuration for all my subdomains, and being rather cautious with HSTS I set the max-age to 24h. I want to be really sure my setup and my CA won't screw up, before I increase this. I just noticed, however, that GitLab is sending its own HSTS header. The result is an invalid HSTS policy (two headers being sent), which the browsers ignore. In other word, thanks to GitLab silently trying to overwrite a policy decision I made for all my subdomains, my users have been less secure for more than half a year (or since whenever GitLab added this "feature"), not getting HSTS protection on the GitLab subdomain. Ouch! Server software should not try to outsmart the admin, that's not going to end well. Right now I don't even know how to fix this, I don't have a good way of changing the SSL setup only for a particular domain without copy-and-paste - and the latter is certainly going to lead to bad, outdated SSL setups for some domain, at some point.
So, please make it possible to disable HSTS, and preferably disable it per default so that it doesn't get into the way of people who actually care for their security themselves. Or maybe move the adding of the HSTS header from GitLab itself to the nginx/apache snippets, so that admins (a) notice the two headers while auditing their web server config and (b) can easily fix this issue.
In some sens this is a duplicacte of #568 (closed), albeit with a different justification. Notice however that even with free automated SSL certificates available, there can still be good use-cases for not using them, e.g. for internal domains whose existence should not be registered with Let's Encrypt (and which cannot be verified from the outside anyway). Let's Encrypt does not yet support IPv6-only hosts. And even with a Let's Encrypt certificate, right now I'd really not like to set max-age to significantly more than a day - in case I screw up my server setup, or run into the rate-limiting of Let's Encrypt so that I cannot renew a certificate anymore. Adding HSTS makes an SSL setup a whole lot more fragile, because any mistake in the setup or in the relationship to the CA can break your domain for an entire year (the max-age GitLab sets). I think forcing this onto the admins without even telling them is a huge faux-pas.