What is strict Transport Security header
Strict Transport Security (HSTS) is a header that guides the browser never load a site via HTTP protocol. This technology allows you to protect the user from attacks by hackers. With the correct HSTS configuration, even during the first load of the site, only a secure connection will be used.Your site must be available via HTTPS connection, and the SSL certificate installed without errors.
Basic directives
max-age - guide the browser how long the HSTS will expire in seconds.
includeSubDomains - applies HSTS not only to the main domain, but to all available subdomains.
preload - guide the browser that the site has been added to the Preload List.
Using HSTS in nginx.conf (NGINX):
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
Using HSTS in httpd.conf (Apache):
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Using HSTS in .htaccess:
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</ifModule>