My expectation that is anyone enters just the domain, or even http://domain that it would automatically redirect to https://domain.
We have confirmed that SSL is active for the site and HSTS is enabled.
But, for some browsers (Safari, Chrome) we notice that the Strict-Transport-Security header is not returned when addressing the base domain without the https:// prefix.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Notice also that some browsers (looking at you firefox) automatically do this for every request from the browser. Interestingly, squarespace does return the strict-transport-security header in this case.
So, why is Squarespace not sending that header when https:// in not specified and we have very clearly enabled HSTS.