The HSTS is a web security policy mechanism that allows web servers to order browsers that connect to it or any of its subdomains to use a secure connection, and it does so via a HTTP response header field named "Strict-Transport-Security".
If a website has an active HSTS policy, the browser automatically modifies HTTP URLs into HTTPS ones before it tries to access the server, and if that is not possible, the user is presented with an error message and can't access the website.
HSTS is aimed at preventing cookie-stealing attacks and man-in-the-middle attacks that secretly strip the SSL from the connections, making them by default insecure (as demonstrated by Moxie Marlinspike back in 2009 at BlackHat).
The header is already deployed and implemented by several websites (PayPal, Etsy, Google Play, the DefCon website, and others) and browsers (Chrome, Firefox, Opera, etc, but not IE and Safari).
The draft of the standard is available here.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.