I’m not an expert on HSTS, but it sounds like ActionDispatch::SSL is violating the spec when it adds STS to redirect responses. Is this for a reason?
Likewise I’m not an HSTS expert, and can’t see any security implications of it as the header itself only contains non-sensitive information. I’d suggest opening up a pull request to fix it, it’s only going to be half a line or so, and perhaps someone can chime in there.