A couple of things I learned yesterday when browsing Hacker News.

Upgrade-Insecure-Requests

Content-Security-Policy: upgrade-insecure-requests;

This means that if for any reason a non-navigational content on your website contains http instead of https (by mistake), then the browser will try to access it via https

This won’t change navigation <a> links to 3rd party websites.

HTTP Strict-Transport-Security (HSTS)

Strict-Transport-Security: max-age=<expire-time>

This header instructs the browser that this website needs to be accessed only via https for as long as the header is not expired. Even if you click on a link with http or write the URL by hand using http, the browser will automatically treat this as https.

But this works only after you initially visited the website via HTTPS.

HSTS Preload

If you visit the website http://example.com for the first time, there’s a possibility that you’ll be a victim of a man-in-the-middle attack. The attacker hijacks your HTTP request, calls the original website themselves via HTTPS and then returns the response to you via HTTP, without the Strict-Transport-Security header.

In order to make sure that your website is always accessed via HTTPS, you need to add it to the pre-loaded list of websites, curated by browser vendors. This is the only way the browser will know it has to use HTTPS for the first time, without getting the headers beforehand.