It looks like it's still in the development phase? I'd like to start recommending it to clients, and then testing it on client sites, but right now I can't.
EDIT: Oh, apparently plug ins for nginx and apache are now available. Sweeeeet.
EDIT: Although I'm a bit nervous about turning it on. Several weeks ago I couldn't get to one of my websites where I had turned on HSTS for about an hour from Chrome, and I got absolutely no feedback from Chrome about what the problem was.
I still don't know, which is why it is such a nagging problem in my gut.
Chrome acted like it was HSTS, because it refused to let me connect at all, not even with a "it's okay to connect for now." And it went away by itself after about 30-60 minutes.
I'm sure I could have wiped out some Chrome settings to fix this, but this site is also used by our customers, and I really really wanted to understand what it was. Fortunately I was the only person who has ever ran into it so far.
Is there an HSTS user group I could ask about this?
You could always ask agl, he might have some suggestions.
What I've seen in the past is that Chrome occasionally gets over aggressive in caching (in an attempt to be "fast" I guess). Clearing all the caches out, flushing DNS etc. usually fixes it for me.
Judging by how Google says they stumbled over this, "Chrome detected and blocked an unauthorized digital certificate", it seems that's roughly what they're doing. I wonder how many sites it's able to do this for.
Those are the sites that they're currently able to do it for. :-)
If anyone reading wants to have your own site added to the HSTS preload (or perhaps cert pin) lists, I think the Chromium developers are interested in hearing from you. I know they'll add HSTS preloads for any site, but I don't know for sure whether there's a size or popularity threshold of some sort for a cert pin.
Chrome (the browser) is super-paranoid about other people replacing google.com certificates. It knows exactly what they should be and anything else is cause for alarm. 'tptacek talks about it from time to time.
EDIT: Oh, apparently plug ins for nginx and apache are now available. Sweeeeet.
EDIT: Although I'm a bit nervous about turning it on. Several weeks ago I couldn't get to one of my websites where I had turned on HSTS for about an hour from Chrome, and I got absolutely no feedback from Chrome about what the problem was.