We need middleware to support HSTS. This should go into commonware.response.middleware for now (gah, now I really want to reorganizing this again) and needs two settings, one for a max-age and one to optionally include subdomains. I think smart defaults are one month, and False, respectively.
For those who don't want to read the spec, this should only be sent if request.is_secure().
I hadn't heard of HSTS before so I was curious...
It looks like it already exists:
The only thing missing (given the spec here) is checking if request.is_secure() and only adding the header for SSL responses.
Oh, oh wow. Wow. Thanks, Rob!