No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/) for getting on the preload list to fail with an error about the semicolon.
From nginx' add_header documentation:
```
add_header Adds the specified field to a response header provided that
the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
```
At least for all security-relevant headers this should not be the case
and the header should always be added.
Updated latest "intermediate" ciphers from mozilla
Add another version of the STS header including subdomains and comments
Add note at base to consider ssl-stapling
As a best practice, Nginx should only direct clients to use the certificate on specified domains. This is because not all servers using other subdomains necessarily listen on 443 and because, unless it is a wildcard certificate, it likely won't be valid on subdomains other than WWW.
As suggested in #44, and since h5bp doesn't support IE6 it seems to be
appropriate to remove a protocol which is in the list only to permit use
with IE6.
Léo Colombaro