I'm not talking about CA system, which is obviously shitty and corruptioned. I'm talking about enforcing #HSTS (HTTP Scrict Transport Security) on application level, like enforcing it in PHP scripts (examples: GNU social, ownCloud). It forces header despite on user choice (and NO information how to disable it in both's documentation).