The application should set the
Strict-Transport-Security header with secure values. You just need to increase the
max-age value to a higher value and add the
A secure header will look like this:
max-age value is set to 6 months to increase the chances of the browser remembering that the site is only to be accessed using HTTPS, therefore protecting the user. If the user visits the site again in the 6 months window, which is likely if the user visits the site frequently, it will make the browser remember the setting for another 6 months, thus protecting the user almost constantly.
With the option
includeSubdomains, all requests to URLs in the current domain and subdomains will go over HTTPS. When you set
includeSubdomains make sure you can serve all requests over HTTPS! It is, however, important that you add the option
includeSubdomains whenever is possible.