Understanding HSTS, when a visitor enters a site without declaring a protocol the http protocol is used by default, and only thereafter does the web server redirect them to the https URL.
There is a hidden danger included here, as the first access is unencrypted, which is clearly not conducive to protecting the privacy of visitors.
HSTS will tell the browser to force all subsequent access to use the https protocol.
Audited sites can also be built directly into mainstream browser rules, forcing TLS encryption for browsing even if that visitor has never opened your site.
Submit a request: https://hstspreload.org
Websites that use cloudflare can easily turn on HSTS.