HTTP Strict Transport Security (HSTS)

Honest question/thought - at this point where we have all HTTP requests for a site just redirecting everything to HTTPS, we use HSTS and browsers default to trying https when scheme is not given, why don't we just stop serving on port 80 altogether? Why even bother with HSTS?

I think we're probably at the endgame where ordinary people start to benefit from HTTPS-by-default. Ten years ago it was way too annoying for me to even suggest to my mother that she should have this, although I did use it myself because I understand the caveats, but today "We don't have HTTPS" either means you don't really support web browsers (e.g. some protocols deliberately are HTTP-based but don't use TLS and some even can't if they wanted to) or that the whole site is mothballed so if it didn't have TLS in 2015 it still doesn't today.

As we transition ordinary users to HTTPS-by-default the HSTS feature loses importance. The target audience for HSTS isn't me, or the package management software I run, or some Python code using requests, it's my mother and sister and other ordinary users, and so if they increasingly have HTTPS-by-default then HSTS stops mattering.

HSTS remains a broken antifeature which violates the covenant of a browser agent being a browser agent. (A server should never have more authority than me on dictating how my agent works.)

Firefox refuses to support the ability to bypass HSTS which generally means I'm forced to use a different browser when HSTS is getting in the way of me doing my job.

(Thankfully or unfortunately, Chromium-based browsers violate the HSTS spec and allow bypass. But there seems to be no appetite to actually repair the HSTS spec to permit this.)

it's a note at the very end, but there are TLDs like .dev where all domains under it have HTTPS enforced.