I am definitely talking HSTS. You only need HTTPS enabled and send the "Strict-Transport-Security" header. It is very easy to setup, it can also backfire pretty bad.
HSTS says "This domain uses TLS and ONLY TLS. Ignore insecure connections to this domain. Remember this for x seconds." (should be harmless these days, why should it backfire?)
You don't seem to understand. Read again, I gave many scenarios where a certificate will be invalid, that will block all access to your site if HSTS is enabled.
My examples are for HSTS. I gave examples where a certificates is invalid. TLS fails when the certificate is invalid and HSTS blocks access to your site.
HSTS says "This domain uses TLS and ONLY TLS. Ignore insecure connections to this domain. Remember this for x seconds." (should be harmless these days, why should it backfire?)
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security...
HPKP says "This domain uses this certificate. Also, remember this and ignore/complain when different in the future." (which is the problematic part)
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#How_It...