HTTP Strict Transport Security - What's it?

As Mozilla developer documentation says

HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

How to tell browsers to use HTTPS for a domain?

Tricky, user has to visit the site(domain) in https for the browser to know to use only https going forward. Strict-Transport-Security response header over https indicates the browser to use https only for further requests.

Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]

max-age: The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS

includeSubDomains: it affects sub-domains as well

preload: should this domain be added to preload list. preload is not part of the specification but it's needed to tell browsers(Chrome, Safari & Firebox) to include the domain as part of preload list.

Once a domain is added to preload list, browsers redirect to https for the domain without the user ever visited the domain.

How to add a domain to preload list?

Go to hstspreload submission site. It stipulates certain requirements to be met for a domain to be submitted for inclusion. Once verified it goes to pending submission state.

Once HSTS in effect for a domain, browser does blind 307 redirection to https to http, without even the request hitting the server.Below is network capture from Chrome browser for this domain