Ref T4340. The attack this prevents is:

• An adversary penetrates your network. They acquire one of two capabilities:
  • Your server is either configured to accept both HTTP and HTTPS, and they acquire the capability to observe HTTP traffic.
  • Or your server is configured to accept only HTTPS, and they acquire the capability to control DNS or routing. In this case, they start a proxy server to expose your secure service over HTTP.
• They send you a link to http://secure.service.com (note HTTP, not HTTPS!)
• You click it since everything looks fine and the domain is correct, not noticing that the "s" is missing.
• They read your traffic.

This is similar to attacks where https://good.service.com is proxied to https://good.sorvace.com (i.e., a similar looking domain), but can be more dangerous -- for example, the browser will send (non-SSL-only) cookies and the attacker can write cookies.

This header instructs browsers that they can never access the site over HTTP and must always use HTTPS, defusing this class of attack.

• Configured HTTPS locally.
• Accessed site over HTTP (got application redirect) and HTTPS.
• Enabled HSTS.
• Accessed site over HTTPS (to set HSTS).
• Tore down HTTPS part of the server and tried to load the site over HTTP. Browser refused to load "http://" and automatically tried to load "https://". In another browser which had not received the "HSTS" header, loading over HTTP worked fine.
• Brought the HTTPS server back up, things worked fine.
• Turned off the HSTS config setting.
• Loaded a page (to set HSTS with expires 0, diabling it).
• Tore down the HTTPS part of the server again.
• Tried to load HTTP.
• Now it worked.