HTTP Strict Transport Security (HSTS) is a security mechanism that protects secure HTTPS websites against attacks. It allows servers to declare that web browsers should always connect to your website using HTTPS, instead of making insecure connections via HTTP. HSTS provides an additional layer of security around SSL-only websites by instructing browsers to remember that connections to your website should always use SSL.
There are two ways to enable HSTS for your website:
Enabling HSTS through settings.php (Drupal 7 only)
If Drupal is serving the front page (index page) of your website, then you can implement HSTS by adding the following header to your settings.php file:
header('Strict-Transport-Security: max-age=31536000');
If all present and future subdomains on your website will use HTTPS, then use this header to allow subdomains to use HSTS:
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
Enabling HSTS through contributed modules
There are two Drupal contributed modules that you can use to enable HSTS. The Security Kit module provides Drupal with several extra security options, including implementing the HSTS response header. The HTTP Strict Transport Security module also adds HSTS headers to your site.
For information about the SSL options [acquia-product:ac] offers, see SSL and Acquia Cloud.