dewanggaba, your hint was correct. Even though I am using the NGINX config supplied by ownCloud, there was still a setting in the admin panel to force HTTPS, which also sends an HSTS header. But the kicker is, if force HTTPS (in PHP) is set to off (and just forced through the server config), ownCloud sends an HSTS header for max-age=0!
This is ownCloud 7.0.4 (stable).
Here is the relevant code in case it helps anyone who might be searching for the same thing in the future:
public static function checkSSL() {
// redirect to https site if configured
if (\OC::$server->getSystemConfig()->getValue('forcessl', false)) {
// Default HSTS policy
$header = 'Strict-Transport-Security: max-age=31536000';
// If SSL for subdomains is enabled add "; includeSubDomains" to the header
if(\OC::$server->getSystemConfig()->getValue('forceSSLforSubdomains', false)) {
$header .= '; includeSubDomains';
}
header($header);
ini_set('session.cookie_secure', 'on');
if (OC_Request::serverProtocol() <> 'https' and !OC::$CLI) {
$url = 'https://' . OC_Request::serverHost() . OC_Request::requestUri();
header("Location: $url");
exit();
}
} else {
// Invalidate HSTS headers
if (OC_Request::serverProtocol() === 'https') {
header('Strict-Transport-Security: max-age=0');
}
}
}