STS is a HTTP header which can be set.
In short: use always SSL, if no SSL is available abort the connection.
- Check wether both secure and unsecure url are https.
- Add a Strict Transport Security Header to magento.
You know what sidejacking and SSLStrip is? This should help a bit against it.