Microsoft did not immediately respond to a request for comment sent Monday, but the company's status.modern.ie website lists the HSTS feature as "in development."
One problem with HSTS is that it assumes the first ever connection from a browser to a HTTPS website is achieved securely, without a man-in-the-middle attacker interfering and removing the HSTS policy header. In order to partially mitigate this problem Google Chrome and Mozilla Firefox contain pre-loaded lists of HSTS sites.
Users can also install the EFF's HTTPS Everywhere browser extension to get almost the same effect on sites that support HTTPS, but don't yet have HSTS enabled.
"HTTPS Everywhere automatically tells your browser to use secured connections on many (but not all) websites that support them; on many domains it functions like a client-initiated equivalent of the serverside HSTS mechanism," Gillula said.
Sign up for CIO Asia eNewsletters.