Currently the plugin always sends the STS header, regardless of whether Jenkins is being accessed via a secure connection.

The spec says:

A HSTS Server MUST NOT include the Strict-Transport-Security HTTP Response Header in HTTP responses conveyed over a non-secure transport.

Similarly, browsers will ignore any STS headers received over a non-secure connection. So it's quite possible that users may end up never accessing Jenkins securely, unless they manually visit the secure URL at least once.

The recommended practice when servers receive non-secure requests is to send an HTTP redirect to the secure version of the content. Then that allows the STS header to be sent, and accepted by the browser.

So it would be good if this was implemented, so that a redirect would be sent whenever the STS header is enabled in the plugin config and a user accesses Jenkins insecurely.
However I guess that may also need an optional config field for entering the secure URL (e.g. if the hostnames differ between secure and non-secure).