HSTS: Enforce HTTPS to Protect Your Website

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

⚠️ Start with max-age=300 (5 minutes) for testing. Switch to 31536000 only after verifying HTTPS works perfectly on all subdomains.