HSTS solves a subtle but real attack: even when a site uses HTTPS, attackers can intercept the initial plain-HTTP request (before the redirect to HTTPS fires) and either downgrade the connection or strip the redirect entirely. HSTS prevents this by telling the browser "after seeing me this once, NEVER connect to me without HTTPS again."
A typical HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Components:
max-age=31536000— the browser remembers the HSTS directive for 1 year (in seconds). After that it can be revisited via plain HTTP.includeSubDomains— also enforce HSTS for all subdomains of this host.preload— consent to be included in the browser's built-in HSTS preload list (see below).
HSTS preload takes the protection one step further: rather than relying on the browser having seen the site once, you can submit your domain to hstspreload.org to be included in a list shipped with every browser. The browser then enforces HTTPS-only for your domain from the first visit, even if it's never connected before.
Trade-off: HSTS-preloaded domains can't go back to HTTP. Make sure your entire site (including all subdomains if you use that directive) is HTTPS-only before submitting.
Modusdom's production sites all use HSTS with a 1-year max-age and includeSubDomains. We're preload-ready but not yet preloaded.