add_header

is this an apache server or nginx?

is .htaccess still the only option?

assuming this is relevant to apache (and php is irrelevant in this case), you could put this directive in your .htaccess file or the relevant container of your server config file if you have access to that:

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Yes, it is an Apache server. So it would be the Header directive, ok, thanks. I already had some variations noted down, but that slipped off my mind when I picked the add_header one. I also came across header append variation, but could not figure what the effect would be at the end.

And speaking of this directive... I see there's an option to add a site to [hstspreload.org...] for Chrome. It was new to me to see that it warned me about straight redirect from http://example.com to https://www.example.com. It asked me to reconfigure it to this:

http://example.com >301> https://example.com >301> https://www.example.com

Wasn't it that we always wanted less redirects, and how much would one suport this?

Thank you

You want the header set

I use it the same way, just with a longer expirary:

Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Ah, looks like phranque already suggested it :)

more security headers here [webmasterworld.com]

As far as hstspreload.org is concerned, I saw those errors as well and decided to forget about it. I think it's a limitation with their validation tool because my config passes all other tools.