[CraigBuchek]

I'm not seeing how this is a big improvement over an HTTP redirect (via a Location header) to the HTTPS site -- beyond a single connection for each session, to redirect to the HTTPS site. Nor any improvement over RFC2817 HTTP Upgrade to TLS, which has the advantage of allowing virtual hosting of multiple secure sites on a single port on a single IP address.

[alexkon]

There is an improvement over an HTTP redirect to the HTTPS site. Such redirects usually occur in the beginning of every session (or, at least, of some sessions). An active attacker could intercept the redirect at any time a-la Moxie Marlinspike’s sslstrip: http://www.thoughtcrime.org/software/sslstrip/ . But once the browser has received the X-Force-TLS header, it will avoid accessing the site over HTTP at all thus preventing that kind of attack. In other words, the browser will now automatically perform the redirect without issuing any insecure HTTP requests to the site.