Most of the controls for STS seem to occur on the client end. Implementing looks to be a fairly simple iRule, inserting a header with appropriate options for your policy and limiting access to non-ssl resources on the client-side. The problem is going to be handling non-compliant browsers. I know Chrome supports it already and FF4 will have it, but what about IE and the others? That's a large chunk of site visitors, so you would need a mechanism (simple HTTP::respond with "Please use browser X, Y, Z" would work) to inform the users. It's always tricky to enforce adoption without losing users.