Google is going to enable HSTS- launch plan is on 27th July, 2016
Jassi
At 10:00 on July 27, 2016, Wednesday, we will conduct a mendel launch to permanently enable HSTS on 100% of www.google.com/* users (via cookiemod) with a 1 day header expiration.
This will permanently implement HSTS on www.google.com. Plan is HERE. We are using the DiRT template for completeness.
www.google.ccTLD’s (e.g., www.google.de) are out of scope.
What is HSTS (HTTP Strict Transport Security)?
HSTS is a HTTP response header field named "Strict-Transport-Security". It’s an enforcement mechanism for SSL/TLS.
Why do we need HSTS on www.google.com?
We need HSTS on Google domains, such as www.google.com, to protect against downgrade attacks. When a modern browser (supporting HSTS) receives this header from a domain, the browser will prevent any communications from being sent over HTTP to that domain. See FAQ.
Here is the HSTS cheatsheet by OWASP: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
It was proposed in 2012 but still lots of websites don't use HSTS header in their websites. I found this video very apt to understand why we need HSTS header to implement HTTPS connection for every page and website. https://www.youtube.com/watch?v=zEV3HOuM_Vw
If we want to make our website secure as well, then we have to follow what Google is going to implement. Let me know your feedback on HSTS implementation and its pros & cons.