What does the Strict-Transport-Security (HSTS) header do, and what is preload?

HSTS (Strict-Transport-Security: max-age=63072000; includeSubDomains; preload) tells the browser to use HTTPS only for the domain for max-age seconds, defeating SSL-strip / downgrade MITM after the first visit. includeSubDomains extends it to all subdomains. preload submits the domain to a list baked into browsers, so HTTPS is enforced even on the first ever visit. Caveat: preload is hard to undo and requires every subdomain to support HTTPS — roll out carefully.