HSTS is fairly easy to setup; at it's core, it's an HTTP header. The only complexity is ensuring that forcing SSL won't cause anything to break that's depending on something not being encrypted. Sublevel used to have an HSTS header but it seems Lucian has removed it :( You're right about pinning being complicated to setup. You need 2 public keys to pin against, usually you pick 2 CAs you trust. It's very easy to break your website if you're not careful. I always setup HSTS but I'm not (yet?) pinning public keys due to the complexity.