HTTP Strict Transport Security (HSTS) is a security mechanism in which a website tells the browser that all future requests should be made over HTTPS. Using HSTS will force all future requests to the current domain name to use https:// URLs even if the user attempts to go to links using http:// URLs.
You can enable HSTS headers by adding the following in a .htaccess file in your app’s web root directory (public):
RewriteEngine On
# Force SSL:
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Force www:
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [E=HTTPS,R=301,L]
# Security header Enable HSTS
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS