So, I checked today, and after submission to the Chrome HSTS Preloading List, and we are indeed HSTS preloaded. This list is also used for Safari, Firefox, and IE11/Edge. This means that the most recent browsers will never send an HTTP request to this site, even when visiting for the first time. This greatly reduces the opportunity to perform an unencrypted HTTP Man-in-the-Middle attack against this site.
