HSTS
HSTS: HTTP Strict Transport Security
HSTS forces browsers to use HTTPS, preventing downgrade attacks.
HSTS forces HTTPS.
## Header
Strict-Transport-Security: max-age=31536000; includeSubDomains
## Nginx
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
## Important
- Only enable after HTTPS works
- Start with short max-age for testing
- Add preload only after testing
## Header
Strict-Transport-Security: max-age=31536000; includeSubDomains
## Nginx
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
## Important
- Only enable after HTTPS works
- Start with short max-age for testing
- Add preload only after testing