I have a domain setup with SSL and I am trying to get HSTS headers working. I have done this in NGINX before with no problem. On this new domain I can't seem to get HSTS working properly. Not sure what I am doing wrong.
I have the following in the server block for the SSL server:
add_header Strict-Transport-Security "max-age=31536000;";

When I run "curl -s -D- https://my.domain.net/ | grep Strict"
I receive the following:
Strict-Transport-Security: max-age=0
Strict-Transport-Security: max-age=31536000;

From all the reading I've done trying to figure this out, my impression is that with the add_header in the server directive, that will override any previous declaration (there are none). Is that correct?
I grep'ed my entire /etc directory and there is only one instance of "max-age" and that is in my ssl server config, with one year (31536000 seconds). So no where on this system, which was just built, and only accessed by me, is there any reference to HSTS with max-age=0. There is only one config in sites-enabled, and that is for my.domain.net. There is a port 80 config with a return 301 statement to permanently redirect to the SSL server config.

My nginx version is 1.6.2, on Ubuntu 14.04 LTS.
I have been unable to find any help on the web for where the invalid (max-age=0) could be coming from. When testing on ssllabs they report the max-age=0 header. When running the curl statement above on my local network I show the above output.

I'm not sure where to go from here trying to figure this out. There is nothing in the NGINX error log, I wouldn't expect anything as NGINX restarts with no issues.

Thanks for reading!