HTTP Strict Transport Security (HSTS) is a web security policy that will force requests to be servers via secure connections HTTPS. Simple HTTP requests are not served.
HSTS syntax is:
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
max-age
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains Optional
If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.
The recommended value for the HSTS header according to https://hstspreload.org/ is:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
The preload parameter will guarantee inclusion on HSTS preload lists for major web browsers like Chromium (Google Chrome), Edge, and Firefox.
To Implement HSTS for your site:
1. Log into your web hosting account and edit or create a .htaccess file.
2. Add the following lines to the .htaccess file and save it.
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
HSTS is now enabled for your site – main domain and subdomains.
3. Add your site to Google Chrome HSTS list at https://hstspreload.org/
To test the HSTS header (and other headers) use https://securityheaders.com/