Context: I have an application that provides GUI and API. The GUI is a web page accessed by users through their web browsers. The API is a HTTP(S)-based backend accessed also by other applications. In some scenarios, some of the applications accessing the API might be running in the same protected network and (for communication speed) it might be preferred accessing the API using only HTTP (not HTTPS).
My question: Is the Strict-Transport-Security header (HSTS) only used by browsers, or do other clients also follow it? What is the common practice? What to expect? Which of the commonly used client frameworks obey the HSTS and which ignore it?
I believe the HSTS information has to be cached somewhere, so truly stateless clients wouldn't have a way of remembering it.
HSTS is mainly a browser thing and most REST-API clients will not use that header. See it as mainly a hint to the client to use it, but don't assume all clients will use it.