[lgarron]

I don't see e.g. a GitHub repo to comment on, but the HSTS header example is `Strict-Transport-Security: max-age=63072000; includeSubdomains; always`

`always` has no meaning, and probably indicates a typo in an nginx configuration.

As others have pointed out, there is other TLS advice here that you shouldn't follow blindly, like a 4096-bit cert (especially if your intermediate is smaller) or TLS 1.2 only. Rationales and trade-off explanations would help avoid misuse of this checklist.

The SSL Labs checker is probably the best tool to use for all the automatable TLS checks.

[tombrossman]

I think the "always" is from Apache, and if I'm reading the site correctly it is an example of a header value being returned. An example Apache directive from https://cipherli.st/ would be:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

That said, when I test an Apache site I've set up using that same directive I don't get the "always" so I'm not sure where it's coming from (in the example).

[nthompson]

The 'always' was a typo, thanks for the catch.