Note: The Strict-Transport-Security header is ignored by the browser when your site is
accessed using HTTP; this is because an attacker may intercept HTTP connections and
inject the header or remove it. When your site is accessed over HTTPS with no
certificate errors, the browser knows your site is HTTPS capable and will honor the
Strict-Transport-Security header.
An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over
non-secure transport.
and
If an HSTS Host receives an HTTP request message over a non-secure
transport, it SHOULD send an HTTP response message containing a
status code indicating a permanent redirect, such as status code 301
(Section 10.3.2 of [RFC2616]), and a Location header field value
containing either the HTTP request's original Effective Request URI
(see Section 9 ("Constructing an Effective Request URI")) altered as
necessary to have a URI scheme of "https", or a URI generated
according to local policy with a URI scheme of "https".
Therefore, the sane way is to do 301 redirect from all HTTP to HTTPS and HTTPS response header must include Strict-Transport-Security.