Always include a Strict-Transport-Security, even on error responses

This consists of two configuration changes and will allow the Mozilla
Observatory to see the HSTS header.  Previously, if a client does not
request an html content type then we return error JSON with a 404 on
`/`.

The first change is to add the `always` parameter which was added in
nginx 1.7.5.  This will include the header for all response status
codes.

The second change is to duplicate the add_header directive in both
blocks.  This surprised me, but the documentation states: "There could
be several add_header directives. These directives are inherited from
the previous level if and only if there are no add_header directives
define on the current level."

Author: jtgeibel

config/nginx.conf.erb

@@ -36,15 +36,16 @@ http {
 		listen <%= ENV["PORT"] %>;
 		server_name _;
 		keepalive_timeout 5;
-		add_header Strict-Transport-Security "max-age=31536000";
 
 		location ~ ^/assets/ {
+			add_header Strict-Transport-Security "max-age=31536000" always;
 			add_header Cache-Control public;
 			root dist;
 			expires max;
 		}
 
 		location / {
+			add_header Strict-Transport-Security "max-age=31536000" always;
 			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 			proxy_set_header Host $http_host;
 			proxy_redirect off;