What it is
HSTS is a response header that tells a browser to only ever contact your domain over HTTPS. Once a browser has seen it, it refuses to make a plain-HTTP request to your site at all, even if a user types `http://` or follows an old link.
Why it matters
Without HSTS there is a window, typically the very first request, where a visitor can be silently downgraded to unencrypted HTTP and intercepted on a hostile network. HSTS closes that window for every returning visitor. It is a single header with a large payoff, which is why its absence is a common, easily fixed finding.
How WebGuard checks it
WebGuard reads the response headers your public site returns and reports whether Strict-Transport-Security is present, and whether its policy is strong (a long max-age, ideally covering subdomains). It never sends intrusive requests; it only observes what your server already returns.
A sensible starting configuration:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload