Problem
Some websites are conceived to only work in HTTPS. In that case, the webmaster sometimes keeps its HTTP version functional with an HTTPS redirection. But this mechanism is not safe and the web site can be the victim of a MITM attack
Solution
To avoid this, you can indicate browsers that the web site must be contacted in HTTPS only. The browser will then transform
<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" env=HTTPS
</ifModule>
Then you should visit https://hstspreload.org to enable HSTS Preload.

Reference