HTTP Strict Transport Security means?

HTTP Strict Transport Security (HSTS) is a technique for ensuring that web applications only use TLS for safe transport. Users are protected from the passive receiver and active man-in-the-middle (MITM) attacks.
It also imposes strong security measures such as blocking mixed content and click-through certificate upgrades, as well as safeguarding against web server errors such as loading JavaScript over an insecure connection.

It is recommended that you use an adequate HSTS policy to cover as many domains/subdomains as feasible.

There are semantically distinct ways to send HSTS headers, as defined in RFC 6797:
• Strict-Transport-Security: max-age=31536000
o The HSTS policy is applied only to the domain of the HSTS host issuing it and remains in effect for one year.
• Strict-Transport-Security: max-age=31536000; includeSubDomains
o The HSTS policy is applied to the domain of the issuing host as well as its subdomains and remains in effect for one year.
• Strict-Transport-Security: max-age=0
o Directs the browser to delete the entire HSTS policy.

How the browser handles it?

1. The browser saves the Strict-Transport-Security header the first time your site is viewed using HTTPS and returns it, so that future attempts to load the site using HTTP will automatically utilize HTTPS instead.
2. When the Strict-Transport-Security header's expiration timer runs out, the next attempt to load the site through HTTP will proceed normally rather than automatically using HTTPS.
3. The expiration time for that site will be updated whenever the Strict-Transport-Security header is given to the browser, allowing sites to refresh this information and prevent the timeout from expiring.
4. If you need to disable Strict Transport Security, set the max-age to 0 (over an HTTPS connection) and the Strict-Transport-Security header will be immediately expired, allowing access over HTTP.