HSTS
The HSTS header instructs the browser to use only HTTPS for the domain, for a defined duration. It closes the interception window that exists on the very first HTTP access.
In practice
One header line, one clear gain: no request ever travels unencrypted again, even from an http:// link or direct address bar entry. The preloaded version — registration on browser preload lists — eliminates even the first vulnerable visit. Precaution: enable only once certain that HTTP will never be served again, including subdomains if the option covers them.