If I have HSTS enforced on a web server with HTTPS 443, but HTTP port 80 is still open, does this make HTTP still accessible, or only for the first time before it's added to the browser HSTS list?
I imagine best practice would be just to disable listening on HTTP completely.
It doesn't much matter, actually, so long as your site immediately redirects any HTTP requests to HTTPS (by the way, the ports are completely irrelevant; you can listen for either HTTP or HTTPS on any TCP port, even swap them so that you listen for HTTP on 443 and HTTPS on 80, if you want; the default ports are just that, defaults, nothing more). If your site redirects HTTP to HTTPS, and sends the Strict-Transport-Security header with all HTTPS responses, then you should be fine in the case that there's no active attacker. The initial request won't contain any sensitive data (so a passive attacker won't get anything) and the browser would never again connect over plain HTTP.
In the event of an actual attacker, it doesn't actually matter whether your server listens for plain HTTP or not. The attacker can impersonate your server (plain HTTP doesn't have server authentication, after all) and send whatever responses it likes; there's no need to actually let the victim reach your server (directly) at all. It's good that you're pre-loading HSTS, as that's the best protection against such attacks; even if they're only possible the first time a victim tries to connect to your site, better that there be no opportunity at all.
Given that, it's fine to leave the HTTP listener alive (just make sure it's auto-redirecting). You can take it down once the updated preload list has probably rolled out to everybody, but it's not important that you do so.
