The HTTP Strict Transport Security (HSTS) header from server tells the client to use only to request via HTTPS for a specific amount of time.
- you accces a website via TLS and you get a valid certificate an a HSTS header in return. The HSTS header tells you how long you should use only use HTTPS
- now you connect to malicious network and request the website again. you get a unencrypted response
- without HSTS you acces this websiste unencrypted
- with HSTS you detect the policy violation and can communicate, that something fishy is going on)
And it is quite easy to enable it, if using QNetworkAccessManager enable enableStrictTransportSecurityStore and setStrictTransportSecurityEnabled
If HSTS store is used, than fingerprinting across application is in principal possible. (Privacy Issues) Thats why my recommendation would be, enable HSTS is a no brainer, but think twice if the Pricavy issues may be valid in your usecase. If you want to enable HSTS store you have to enable it before enable HSTS checking codewise.
It looks like, that only QtWebKit is using this feature at the moment. Here the search in all source packages in Debian:
https://codesearch.debian.net/search?q=setStrictTransportSecurityEnabled&perpkg=1