max-agedirective defines the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomainsdirective defines if the rule applies to all of the site's subdomains as well
preloaddirective ensures that a website will be accessed using HTTPS even during the first visit of the website. Indeed, websites require a user-agent to first visit them to understand that it must use STS. To correct this behavior, browsers have a list of websites that has to be accessed using HTTPS from the initial request.
DENY: the page cannot be displayed in a frame
SAMEORIGIN: can only be displayed in a frame on the same origin as the page itself (which depends on how browsers vendors interpret this)
ALLOW-FROM uri: obsolete directive. No longer works in modern browsers.
nosniffdirective makes the browser block a request if the request destination is of type
styleand the MIME type is not
text/css, or of type