Thanks for your workarounds and new insights. The problem is not purely HSTS related.
The rewrite to HTTPS, I think, works correctly in DirectAdmin, before security headers are reached in .htaccess, httpd (or nginx directive).
I have understood from internet.nl that security headers in a web...