What Is HSTS and How Do I Enable It?
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS, even if a user types http:// or clicks an old link. It closes the small window an attacker could use to downgrade a connection.
Why HSTS matters
Without HSTS, the very first request a browser makes can go over plain HTTP before any redirect fires. On a hostile network that first request can be intercepted. HSTS removes that window by making the browser rewrite every request to HTTPS for a set period.
How to enable it
Send the Strict-Transport-Security header, for example: max-age=63072000; includeSubDomains; preload. The max-age is in seconds (two years is common). Add includeSubDomains only once every subdomain genuinely serves HTTPS, or you will lock out any that do not.
The preload list
Browsers ship a built-in list of domains that are HTTPS-only from the very first visit. Submitting to it requires a valid two-year max-age, includeSubDomains, and the preload token. Removal is slow, so only preload when you are confident every subdomain supports HTTPS.