How can I activate HSTS?
The HTTP Strict-Transport-Security (often abbreviated as HSTS) response header allows a website to tell browsers that it can only be accessed using HTTPS, rather than HTTP.
You can enable it by adding the following to your .htaccess file
Header set Strict-Transport-Security “max-age=5184000; includeSubDomains; preload”
The “max-age” is the time in days you want the notice to be cached, the above would default to 60 days.
Note that if you set this header, the site will only load over HTTPS.
For example, while people can normally click through a browser warning about a name mismatch or expired certificate, browsers don’t allow that click through for hostnames with an active HSTS header. It also means that if they ever move the site to a web hosting provider that does not support HSTS or if they wish to remove the certificate, they will not be able to do so and their site will be unavailable.