Currently there is no reference to HSTS Security in eZ documentation.

Naturally, any site implementer may add his own headers to enforce this security layer, but it would be nice if we held some information on this.

imho, the improvement could either be
. document it as an example in a cookbook page that explains how to set up custom headers
. include certified support for it, in future releases