Is the Strict-Transport-Security header intended for HTTP or HTTPS? What I mean is, do I respond with this header on a HTTP connection which in turn tells the browser to use HTTPS only from that point on? Or, is this header only used on a HTTPS response, and will tell the browser to use HTTPS only from then on?
I'm trying to make my site redirect from HTTP to HTTPS if a client tries to access my site under HTTP. So, I'm interested in whether the strict-transport-security header is used for this purpose, or can be used for this purpose.