HSTS tells browser 'this site is always HTTPS'.
Why
301 redirect isn't enough โ first HTTP connection possible (MITM).
Header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
HSTS Preload List
hstspreload.org โ Google list. All browsers know.
Caution
Once enabled โ hard to roll back. Test carefully.