It is necessary to have requirement to add includeSubDomains and/or set max-age for HTTP Strict Transport Security (HSTS) header.

From GUI:

Create Content Rewriting as below:

1) Add HSTS header with includeSubDomains and/or set max-age.

- Go to the Server Load Balance -> Virtual Server -> Content Rewriting (tab).

- Select 'Create New'. Provide the preferred Name. In this example, 'add-strict-transport-security' is used as the name.

- For Action Type, select Response and for Action, select Add HTTP Header.

- Under the Specifics section, for Header Name input 'Strict-Transport-Security' and for the Header Value input 'max-age=31536000; includeSubDomains'.

Note that for this example, 31536000 is used as the max-age value, set the value accordingly based on the requirement).

- Select 'Save'.

2) Delete HSTS header (optional).

(This may be needed if the real server already included the HSTS header.)

- Go to the Server Load Balance -> Virtual Server -> Content Rewriting (tab).

- Select Create New. Provide the preferred Name. In this example, 'del-strict-transport-security' is used as the name.

- For Action Type, select Response, and for Action, select delete HTTP Header.

- Under the Specifics section, for Header Name input 'Strict-Transport-Security' and leave other settings as default.

- Select 'Save'.

Applies the Content Rewriting created in Step 1 at the respective Virtual Server.
(Note that the 'delete' content rewriting needs to be above the 'add' content rewriting).

From CLI:

Create Content Rewriting as below:

1) Add HSTS header with includeSubDomains and/or set max-age

# config load-balance content-rewriting
    edit "add-strict-transport-security"
        set action-type response
        set action add_http_header
        set header-name Strict-Transport-Security
        set header-value "max-age=31536000; includeSubDomains"
        config match-condition
    end
next
end

2) Delete the HSTS header (optional).

(This may be needed if the real server already includes the HSTS header).

 # config load-balance content-rewriting
     edit "del-strict-transport-security"
         set action-type response
         set action delete_http_header
         set header-name Strict-Transport-Security
         config match-condition
     end
 next
 end

Applies the Content Rewriting created in Step 1 at the respective Virtual Server.

(Note that the 'delete' content rewriting needs to be in front of the 'add' content rewriting).

# config load-balance virtual-server
    edit "virtual_server_name"
        set content-rewriting enable
        set content-rewriting-list del-strict-transport-security add-strict-transport-security
    next
end

Verification:

Before adding the HSTS header.

After adding the HSTS header.

Related Virtual Server configuration document:

https://docs.fortinet.com/document/fortiadc/7.1.1/handbook/970956/configuring-virtual-servers

Related HSTS document:

https://docs.fortinet.com/document/fortiadc/7.1.1/handbook/172527/hsts-and-hpkp-support