[thirsteh]

It's necessary for HTTP requests. Are you being deliberately obtuse?

[ars_technician]

It doesn't work if the user hasn't visited the site before because the HSTS header can be stripped just as easily.

[lvh]

The HSTS specification tells you not to put those headers in regular HTTP requests anyway.

Also, you're forgetting about browsers that ship with lists of HSTS-enabled sites.

[gtklocker]

https://news.ycombinator.com/item?id=6978539