HSTS tweaks

certbot.md

@@ -125,6 +125,9 @@ filename: `/etc/nginx/snippets/ssl/example.com.conf`
 ```nginx
 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+# Replace with the domain's HSTS policy
+add_header Strict-Transport-Security "max-age=63072000";
 ```
 
 ## SSL params
@@ -151,7 +154,6 @@ ssl_stapling_verify on;
 resolver 1.1.1.1 1.0.0.1 valid=300s;
 resolver_timeout 5s;
 
-add_header Strict-Transport-Security "max-age=63072000";
 add_header X-Content-Type-Options nosniff;
 
 ssl_dhparam /etc/ssl/certs/dhparam.pem;