Can I enable HSTS?
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
You can enable this by adding the following to your .htaccess file:
Header set Strict-Transport-Security “max-age=5184000; includeSubDomains; preload”
The 'max-age' is the time in days you want the warning to be cached for, the above would set that to a default of 60 days.
Be aware that if you set this header, the site will only ever load over HTTPS.
For instance, while people can usually click through a browser warning about a name mismatch or expired certificate, browsers do not allow such a click through for hostnames with an active HSTS header. It also means that if they ever move the site to a provider that doesn't support HSTS or if they wish to remove the certificate, they cannot do so and their site will be unavailable.