One of the best-known policies is the HTTP Strict Transport Security. Below, we will give a quick overview of HSTS configuration and what is recommended. If you want to know what HSTS is or why you need it:
Configuring HTTP Strict Transport Security
The most effective way to use HSTS is by preloading the strict policy directly in supported browsers.
If you do not preload your website, the browser will only remember the preference after each first visit. Although better than nothing, preloading is the way to go.
After selecting ‘preload’ in Really Simple SSL, you can go to hstspreload.org to add your domain to the browser list. Please know that getting on the list is more straightforward than being removed. If you, for any reason, need to fall back to HTTP:// and you’re still on the preload list. Your website will be available once it is off the list or back on HTTPS://.
If you want to use preload, make sure you enable these settings:
- HTTP Strict Transport Security
- Include preload
- Include subdomains
- Choose the max-age for HSTS (Minimum of One-Year)