Facebook seems to be doing some client sniffing to decide whether to set the headers..

In my browser (FF nightly), I see the HSTS header, with the value: "max-age=15552000; preload"

If I do a request with curl, no header... (which is probably what this app sees).

I don't have a clue why they are doing that, though. Not that curl would do something with the HSTS header anyway, but still...

Facebook has HSTS preload on www.facebook.com, but not on the redirect from facebook.com->www.facebook.com. I suppose they have their reasons

Google.com also doesn't seem to have it.

Google only uses a certificate pin and doesn't force SSL. Sadly.