[Ellipsis753]

Old links to your site might still be http - HSTS prevents that request being in the clear. Also, if you have a man-in-the-middle attack, it doesn't matter if you return a redirect or not as the attacker has already replaced your site with a phishing attack instead of a redirect. HSTS prevents this.

[RamRodification]

Your second example would also be prevented by just not serving on port 80 as the parent comment suggests, no?

[toast0]

A MITM can intercept the SYNs to port 80 and send their own SYN+ACK.

Not serving on port 80 means a passive viewer won't see any content, but if you were just serving a redirect, there's not much content to see.

IMHO, if you use HSTS preload and you prime HSTS by serving your favicon with https and HSTS, you can go ahead and serve your (unauthenticated) content with http. A modern browser will switch over to https; a MITM could fetch your https pages and return them over http; and you'll be accessible on ancient browsers that can't manage modern TLS.

[ycombinatrix]

No, not really. You can still be MITMed on port 80.

[RamRodification]

Right. Clients (web browsers) would have to stop using it too for it to work I guess.

[meindnoch]

>no?

No.