For instructions on how to set up HSTS on other servers, you can check the "HPKP pinning" article.
HPKP is another security mechanism that uses an HTTP header as protection against impersonation attacks with fraudulently issued certificates. To enable it on the server side, it’s required to add a special directive that contains hashes of public keys (pins) contained within certificates the server supplies via Certificate message. When browser with HPKP support receives such a header, it validates pins comparing them with the certificate chain. If validation is successful, it associates the website with received pins. Since then, the connection should result in a non-recoverable error in case of pin validation failure during further connections.
pin-sha256=”SPKI_digest#1"; pin-sha256="SPKI_digest#2"; max-age=31536000
Backup pin is an obligatory requirement.
Max-age directive specifies time (in seconds) during which after reception of HPKP header field a client application treats the host (from whom the message was received) as a known HPKP host. In simple words, it’s time a browser should keep “HPKP” cookies and perform HPKP validation using pins received in the header initially.
pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="kb6xLprt35abNnSn74my4Dkfya9arbk5zN5a60YzuqE="; max-age=31536000
If you would like to include it, includeSubDomains directive should be added in the end of the string and delimited with a semicolon:
pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="kb6xLprt35abNnSn74my4Dkfya9arbk5zN5a60YzuqE="; max-age=31536000; includeSubDomains