Implications of Strict Transport Security (HSTS) max-age = 0

Question

When setting up HSTS in Cloudflare, I noticed that the default max-aged is set to 0.

To my understanding this default value kind of disables the HSTS. Which could be considered a misconfiguration and also be used to track users.

As I just found mentions of these issues and not clearer explanations, I wanted to ask:

1. Does setting max-age = 0 have the same effect as a constantly expiring max-age?

2. If 1 is true, what are the implications of constantly having a “first visit” HTTP requests before going over to HTTPS?

For 2 I am thinking of constant windows for MITM attacks. But would there be other risks? Implications like tracking are unclear and any explanation or further references would be great.

Answer 1

Based on my understanding of these extra resources about common mistakes, privacy, and general use of the header

Having a max-age = 0 will immediately expire the Strict-Transport-Security header, allowing but not forcing the traffic to go over HTTP.

This also helps with the 2nd part of my question as allowing HTTP access brings back numerous attack vectors like protocol downgrade, MITM, SSL-stripping, and potential privacy issues.

Note: I am not marking my own answer as correct as I think this helps me understand better the implication of a misconfigured header, but not entirely.