What is HSTS and why you need it
If your site still leaves any room for browsers to touch plain HTTP, you have a weak spot. That’s exactly the problem HSTS solves. HSTS stands for HTTP Strict Transport Security. It’s a response header that tells browsers: “From now on, only talk to me over HTTPS. Don’t even try HTTP.” Once a browser sees that policy, it stops making insecure requests to your site for a defined period. That sounds small, but it closes one of the oldest and most annoying gaps in web security: the first insecure request. ...