A .htaccess file on the highest web server level, may contain this:

SetEnv no-gzip 1

# Preferably use the checkbox in the control panel.
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

# You can test with https://en.internet.nl/
# You can analyze with my https://hostingtool.nl/server_headers

<If "! (%{HTTP_HOST} =~ /^www\.example\.com$/)">
    Redirect 302 / https://www.example.com/
</If>

Redirect 302 /.well-known/security.txt https://janwillemstegink.nl/.well-known/security.txt

# Note: WordPress may rewrite in .htaccess. This does not combine with redirection to www.

Also check our page about security headers.