Configure your .htaccess File
You should edit your .htaccess file to add the proper headers to static assets.
Here is an example code snippet:
<IfModule mod_headers.c> # HSTS header Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" </IfModule>
Clear caches and test!
Checking HSTS header using curl
curl -s -D- https://example.com/ | grep -i Strict
I don’t see the HSTS header on assets
The idea behind an HSTS header is that content is always downloaded over an encrypted connection.
Once the files are downloaded and put in your memory/disk cache they are no longer encrypted.
When your browser gets the files from memory/disk cache they also don’t need to be downloaded over any connection. The memory/disk cache is a trusted resource. That’s why the HSTS header is not needed.