HTTP Strict Transport Security (HSTS)
Tells browsers to only connect to your site over HTTPS for a set period.
HSTS is a simple response header. Once the browser has seen it over a trusted HTTPS connection, it will upgrade or reject plain HTTP for that host (and optionally subdomains) until max-age expires. Preload lists let new users get protection even on the first visit, but only after you meet the preload requirements.
Why developers care
Without HSTS, a user’s first request might go over HTTP (bookmark, typo, captive portal, or active attacker). TLS alone does not stop that downgrade. HSTS closes the gap for return visits immediately and, with preload, shrinks the first-visit window. Security scanners flag missing HSTS as a standard finding; fixing it is usually one header line at the edge or in your app server.