SSLLabs A+, F5 LTM 11.4

In rereading Jason's blog, I see that he was expiring HSTS one day before the certificate expires. I don't think that's really needed, unless you might have second thoughts on HTTPS, and want to remove your 301 redirect, and not buy a new SSL certificate. In that case, only, you'd want your HSTS rule to expire before the certificate. If you do that, SSLLabs won't give you an A+ if your cert is going to expire in less than 181 days. So the static max-age is really "required" to get and keep an A+.