If your site remains accessible via HTTP then it becomes trivial for an attacker…
HTTP Strict Transport Security (HSTS) is a response header sent by a server to a user agent such as a browser telling it that it must only connect using HTTPS.