I just set up Webfig using IP > Services > www-ssl. I created a self-signed certificate and it works great! But is there an option to enable HSTS so that a user cannot access Webfig unless they have CA installed on their PC/browser?
No. But you can disable the plain www config service.