Which HTTP header takes precedence in the presence of conflicting values?

Question

This question is similar to Are Duplicate HTTP Response Headers acceptable? but goes a step further.

I have observed a webserver in our staging environment that returns the following headers (output has been truncated for clarity):

strict-transport-security: max-age=1 Strict-Transport-Security: max-age=31536000; includeSubDomains

My question is: in the face of conflicting header values, which takes precedence?

Since the RFC states that multiple values must be chainable, this functionality seems undefined as the values are not chainable (since they are conflicting) yet the browser does not return an error.

Answer 1

As it turns out, even though Chrome does not alert me to it, the header above is listed as INVALID and thus no HSTS policy is applied whatsoever.