How to Enable HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a security mechanism in which a website tells the browser that all future requests should be made over HTTPS. Using HSTS will force all future requests to the current domain name to use https:// URLs even if the user attempts to go to links using http:// URLs.
You can enable HSTS headers by adding the following in a .htaccess file in your app's web root directory (public):
# Using this header, any browser that accesses the site over HTTPS will not # be able to access the plain HTTP site for one year (31536000 seconds). # One you begin using this, you should not stop using SSL on your site or # else your returning visitors will not be able to access your site at all. Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
If you want to force users to HTTPS, you will still need to redirect from HTTP to HTTPS.