HTTP Strict Transport Security (HSTS)
HSTS sends a Strict-Transport-Security response header that instructs browsers to connect over HTTPS only — for the next max-age seconds — even if a user types http://. This closes the first-request downgrade window that SSL-stripping attacks exploit. Use a long max-age (one to two years; 63072000 is common). Add includeSubDomains once every subdomain serves HTTPS. Add preload only when you're ready to be hard-coded into browsers' preload list — removal is slow. Send HSTS only over HTTPS, never on plain-HTTP responses.