I understand the principle of HSTS, and the fact that the choice of max-age limits how long a visitor could potentially be locked out if the site somehow lost its certificate and had to go back to HTTP-only for a while. When setting up HSTS, most sources recommend rather long max-age values — on the order of 180 to 365 days. Some “SSL test” websites (Qualys, ImmuniWeb…) even go as far as to issue warnings about HSTS max-age being set to a value below 180 days.
Separately, while most paid certificates are issued for one year, certificates from LetsEncrypt are only valid for 90 days. Which leads me to my question: Is there any reason why the HSTS max-age should be set to match the certificate’s validity period? (i.e. 90 day max-age for a 90 day LetsEncrypt certificate, and 365 days for a one-year ExpensiveCA certificate.)