[dingaling]

Sadly not, because I haven't yet understood the interaction of HSTS and old plain-HTTP URLs.

What happens when a browser goes to retrieve, say, an image at http://example.com/img223.JPEG but the server now enforces HSTS and pulls-up TLS?

When I've tried this with a subsite the image fails to load, and I haven't yet had time to investigate why.

Perhaps I should just draw a line and let the old URLs break.

[azdle]

My understanding is that HSTS is purely for the client side. You can still have a server that serves http if you want, but any client that supports HSTS that has visited your domain since you started sending the header will simply add tls to any http:// link that it comes across.

So your image link can still be served, but if the client does support HSTS it'll see the header and then make all subsequent requests over TLS.