The HTTP Strict Transport Security (HSTS) mechanism defined in IETF
RFC 6797 allows us to indicate to clients that the site to which
they are connecting should only every be reached over an encrypted
HTTPS connection, in an effort to thwart protocol downgrade attacks
which could convince a client to fall back to plaintext HTTP. Set
such a policy header for the SSL vhost, valid for one year, and
indicate that this policy also applies to any subdomains of the
hostname with which the site is served (even though it's unlikely
that there would ever be any in this case, this is useful for
consistency with inclusion in other vhost templates in the future).
While HSTS policy can't prevent downgrade attacks the very first
time a client connects to this site, thereafter their browser would
be wary of connecting over plain HTTP for subsequent connections for
a full year.
Change-Id: If5c2f3b70e7f7646bf6168e8942aee0ecb7c2ec8
2658fb41ba