HTTP Strict Transport Security
On a public facing site, HSTS should be setup to tell connecting clients to only talk to the webserver using HTTPS/TLS.
add_header Strict-Transport-Security "max-age=15552000; includeSubdomains;";If using a self-signed cert (testing, internal only, etc), you'll run into a few difficulties since the cert isn't publicly valid (your browser can't validate it).
You'll need to explicitly disable HSTS in order access the site that's using the self-signed cert (browser security polices usually won't allow access to the site).
add_header Strict-Transport-Security "max-age=0;";