HSTS stands for HTTP Strict Transport Security and it's a security header that was created as a way to force the browser to use secure connections when a site is running over HTTPS.
When a user connects to a site using HTTPS, the website then encrypts the session with a secure sockets layer (SSL) certificate. One of the flaws associated with HTTPS is that it isn't entirely hack-proof: it leaves your site open to SSL stripping. This often occurs with 301 redirects if a website relies on 301 redirects for switching from HTTP to HTTPS. While this doesn't seem like a big deal, it's those few milliseconds in between you really need to worry about because it leaves the site vulnerable to hackers who try to strip down your SSL certificate. The solution for this issue is to add a Strict Transport Security response header.
An HSTS enabled server can include the following header in an HTTPS reply:
Strict-Transport-Security: max-age=16070400; includeSubDomains