HSTS header sent over HTTP (and HTTPS as well)

I've been doing quite a bit of reading on HSTS and have the following questions that I was hoping you all could help me answer.

​

The [HSTS RFC](https://www.rfc-editor.org/rfc/rfc6797) states:

>An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

and

>If an HTTP response is received over insecure transport, the UA MUST ignore any present STS header field(s).

​

My question is:

* If a web server sends an HSTS header over …

amp cybersecurity doing header host hsts http https insecure non question questions response server transport web web server