HSTS (HTTP Strict Transport Security) is set via the Strict-Transport-Security response header on HTTPS responses. Once a browser has seen the header, it remembers the domain as HTTPS-only for the duration in max-age seconds, refusing to attempt HTTP even if the user types http:// or follows an HTTP link.
Recommended value: max-age=31536000; includeSubDomains (1 year, all subdomains). Add ; preload only after verifying every subdomain serves HTTPS -- preload entries are baked into Chrome's source code and are difficult to undo.
HSTS protects against SSL-stripping attacks on public Wi-Fi where an attacker intercepts the initial HTTP request and prevents the upgrade to HTTPS. The first visit to a site is still vulnerable (HSTS hasn't been seen yet); the preload list closes that gap by hard-coding the policy in the browser.