HTTP headers / response header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
HSTS: instructs browsers to use HTTPS only for this host for max-age seconds, killing protocol-downgrade attacks.
The .app and .dev TLDs are HSTS-preloaded wholesale — plain HTTP literally cannot work there, which surprises local-dev setups.
The fastest way to see what Strict-Transport-Security is actually doing is to send the request and read both sides raw — ReqPad shows auto-generated and custom headers for every request, on all six protocols, with history. Related references: status codes · WWW-Authenticate · Content-Encoding · Transfer-Encoding · ETag · Last-Modified · Expires
Build the request, send it, read raw headers and timing — from your iPhone. Free to start.