I see that createApp sets the Strict-Transport-Security header to 'max-age=15552000; includeSubDomains'

Is there a reason it is 15552000 rather than the usual best practice value of 31536000?

I tried to set the header though express but the value from Foal persists and I don't think there is another way to override it?

I'd be happy to create a PR to change it, but I'm not sure if there is a reason that wouldn't be a good idea.