Old links to your site might still be http - HSTS prevents that request being in the clear. Also, if you have a man-in-the-middle attack, it doesn't matter if you return a redirect or not as the attacker has already replaced your site with a phishing attack instead of a redirect. HSTS prevents this.
RamRodification|2 months ago
toast0|2 months ago
Not serving on port 80 means a passive viewer won't see any content, but if you were just serving a redirect, there's not much content to see.
IMHO, if you use HSTS preload and you prime HSTS by serving your favicon with https and HSTS, you can go ahead and serve your (unauthenticated) content with http. A modern browser will switch over to https; a MITM could fetch your https pages and return them over http; and you'll be accessible on ancient browsers that can't manage modern TLS.
ycombinatrix|2 months ago
meindnoch|2 months ago
No.