Add Strict-Transport-Security (max-age 1y, includeSubDomains) to every TLS server block in both vhost templates. Combined with the existing port-80 301 redirect, browsers refuse plain HTTP to these names after first visit. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>