What is this
HSTS (HTTP Strict Transport Security) is a response header telling browsers to always reach your domain over HTTPS, even when the user types http://. A valid HSTS header with max-age of at least 6 months is the minimum standard.
Why it matters
Without HSTS, an attacker on open wifi can intercept the first request and route it to a fake site (SSL stripping). With HSTS, after the first visit the browser stores that only HTTPS is allowed.
How to fix it
TransIP: On Managed WordPress: file a ticket or use a plugin (Really Simple SSL). On VPS: add to nginx add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;.
CloudFlare: SSL/TLS > Edge Certificates > HTTP Strict Transport Security > Enable. Set max-age to 6 or 12 months, tick Include subdomains and Preload.
Strato or Antagonist: In .htaccess on the apex: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains". Some packages ship this on by default.
Other: Add the header in your web server config. Start carefully with max-age=300 for testing, then raise to 31536000 (1 year) or more.
Verify
curl -sI https://yourdomain.com | grep -i strict-transport. Or check the Securityheaders.com score. For preload: hstspreload.org.