Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
HSTS is activated only after a successful HTTPS request to the server with a valid certificate. There is still a risk of a first-time user accessing the site, at which point a Man-in-the-Middle attack is possible.
To make the site secure even before the first request the domain can be added to a preload list, already configured in browsers.
preload parameter is not used by the browsers directly, but it an indiciation to the browser developers that the site developers really asked to be added to the preload list.