Improve HSTS header

- always set the header to make it hopefully appear on redirect as well
  (https://fedorahosted.org/fedora-infrastructure/ticket/2888#comment:11)
- set preload, to make it more likely that subdomains can be
  added to preload list

roles/anitya/frontend/files/0_releasemonitoring.conf

@@ -9,7 +9,7 @@
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    # Use secure TLSv1.1 and TLSv1.2 ciphers
-   Header add Strict-Transport-Security "max-age=15768000"
+   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 
    SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert
    SSLCertificateChainFile /etc/pki/tls/certs/release-monitoring.org.intermediate.cert

roles/copr/frontend/files/httpd/coprs_ssl.conf

@@ -4,7 +4,7 @@
     # Use secure TLSv1.1 and TLSv1.2 ciphers
     SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
     SSLHonorCipherOrder on
-    Header add Strict-Transport-Security "max-age=15768000"
+    Header always add Strict-Transport-Security "max-age=15768000; preload"
 
     SSLCertificateFile /etc/pki/tls/ca.crt
     SSLCertificateKeyFile /etc/pki/tls/private/ca.key

roles/httpd/reverseproxy/templates/reversepassproxy.id.conf

@@ -26,7 +26,7 @@ RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
 
-Header add Strict-Transport-Security "max-age=15768000"
+Header always add Strict-Transport-Security "max-age=15768000; preload"
 
 
 RewriteRule ^(.+) - [PT]