HSTS (HTTP Strict Transport Security) is a policy where the server uses the `Strict-Transport-Security` response header to tell browsers 'from now on, only ever connect to this site over HTTPS.'
Once a browser receives this header, for the specified period it automatically upgrades any plaintext HTTP attempt to that domain into HTTPS itself.
The problem it solves is the 'plaintext vulnerability of the first connection.' If a user types just `example.com`, the browser first tries `http://`, and the server 301-redirects to HTTPS. An attacker who intercepts that first plaintext round trip (SSL stripping, man-in-the-middle) can block the upgrade and steal traffic. HSTS makes the browser remember the domain so it never even forms a plaintext request and goes straight to HTTPS.
Header directives include `max-age` (policy lifetime in seconds), `includeSubDomains` (apply to all subdomains), and `preload`. `preload` registers the domain in browsers' built-in HSTS preload list so even a brand-new first visit goes to HTTPS with no plaintext — a powerful option, but removal from the list is very hard and every subdomain must support HTTPS, so use it carefully. Note: before enabling HSTS you must first have a valid certificate and HTTPS on all paths; a misconfiguration can make the site unreachable.