Read the blog post: How to enable HTTP Strict Transport Security (HSTS) in IIS7+. Therefore, adding a HSTS header is important after you’ve added SSL to your WordPress website, so browsers automatically request your HTTPS address. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion. The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS is an IETF standards track protocol and is specified in RFC 6797. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
HSTS improves security and prevents man-in-the-middle attacks, downgrade attacks, and cookie-hijacking. HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking. IIS 8.5 is the IIS version used in Windows Server 2012 R2, IIS 10.0 in Windows Server 2016 and up. 2.4 Content-Security-Policy Enable and serve an HTTP Strict Transport Security (HSTS) response header in IIS 10.0 and 8.5