Add HTTP Strict-Transport-Security header to unknown URLs

[MahmudH]

• This sets the HSTS header to the domain within VCL
• Enables consistency throughout the CDN.

Trello: https://trello.com/c/0TgCOgbX/3397-3-configure-fastly-to-always-append-an-hsts-header

[sengi]

The idea SGTM, but I have a couple of practical concerns about merging this as-is:

• do we plan to remove the HSTS stuff from apps? (I think we'll need to, otherwise we're duplicating the config for this important header, which just seems unnecessarily risky.)
• why the super short max-age?

[sengi]

HSTS with max-age=300 doesn't seem useful to me — what's the rationale here?

[sengi]

I see from the notes on the internal-only Trello card that you plan to set this to 300 and then increase it later, but that doesn't make any sense to me given that we're already serving HSTS headers with an appropriately-long max-age (strict-transport-security: max-age=31536000; preload).

didn't mean to approve there, sorry — comments kinda need addressing before merge

[sengi]

tl;dr:

• HSTS affects a whole domain, not individual pages/paths.
• We currently have a slight inconsistency in how we're serving the HSTS header, for example we're not serving it on some 404 responses.
• We don't want to be serving conflicting or inconsistent HSTS headers (for any given domain).
• We should therefore configure the HSTS header at CDN so that it's trivial to see that it's correct.
• The value needs to be the same as the one we're currently serving, so we don't break stuff or make the inconsistency worse.