Consider serving HSTS by default if TLS is enabled

[strugee]

Admins can't switch off HTTPS anyway since it breaks federation, so AFAICT we might as well serve HTTP Strict Transport Security headers? At least without includeSubdomains. I think this won't cause any problems but I want to think about it more.

Could include this in the 6.0 release just in case it causes problems, though it should be backwards-compatible. (Labeling semver-major so it shows up when I query for things that need to go in for 6.0.)