HSTS (HTTP Strict Transport Security) is a response header that tells a browser to only ever contact your site over HTTPS. Once the browser has seen it, any attempt to use plain HTTP for your domain is upgraded to HTTPS internally, before a request leaves the machine.
The header
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. The max-age is how long the browser remembers the rule; includeSubDomains extends it to every subdomain; preload signals you want the domain baked into browsers directly.
The first-visit problem
HSTS only helps after a browser has seen the header at least once. The very first request can still go over HTTP. The preload list solves this by shipping your domain inside the browser, so HTTPS is enforced even on a first-ever visit.
Getting onto the preload list
Serve the header on the apex over HTTPS with max-age of at least a year, includeSubDomains and preload, redirect HTTP to HTTPS, then submit at hstspreload.org. Make sure every subdomain works over HTTPS first — preload is hard to undo quickly.