HTTP Strict Transport Security Definition

HTTP Strict Transport Security (HSTS) uses a header to inform client browsers that this site should only be accessed through SSL/TLS. This feature is intended to mitigate man-in-the-middle attacks that can force a client’s secure SSL/TLS session to connect via insecure HTTP. HSTS has a duration setting that tells clients the SSL/TLS preference should remain in effect for the specified length of time. This setting will only activate on an application that is configured to terminate SSL/TLS.

If an application is set temporarily to support SSL/TLS and HSTS has been set, it cannot gracefully be downgraded back to HTTP. Client browsers will refuse to accept the site via HTTP. When HSTS is in effect, clients will not accept a self-signed certificate.