The wording around the max-age parameter of HSTS is needlessly ambiguous especially in 3.4.1:
Verify that a Strict‑Transport‑Security header field is included on all responses to enforce an HTTP Strict Transport Security (HSTS) policy. A maximum age of at least 1 year must be defined, and for L2 and up, the policy must apply to all subdomains as well.
The problem here is the use of "maximum age", the sentence can be parsed as the maximum value of the parameter or the maximum value of max-age. This all hooks on the words "... at least ...", if they're missed on a skim read the sentence has a different meaning. The sentence caused confusion for our internal advice, as we tried to work out what the best recommendation for HSTS was.
To make it totally unambiguous it would be better to rephrase it to be explicit, something like:
Verify that a Strict‑Transport‑Security header field is included on all responses to enforce an HTTP Strict Transport Security (HSTS) policy. The max-age parameter should be set to at least 31536000 (one year). For L2 and up, the policy must apply to all subdomains as well.
The wording around the max-age parameter of HSTS is needlessly ambiguous especially in 3.4.1:
The problem here is the use of "maximum age", the sentence can be parsed as the maximum value of the parameter or the maximum value of max-age. This all hooks on the words "... at least ...", if they're missed on a skim read the sentence has a different meaning. The sentence caused confusion for our internal advice, as we tried to work out what the best recommendation for HSTS was.
To make it totally unambiguous it would be better to rephrase it to be explicit, something like: