AFAIK HSTS is a server side property that tells the browser that is should only work with https request with this server (correct me please if I'm wrong).
Right.
HSTS will not help in cases of redirecting from http to https, in this time frame of redirection MIM attack can happen, unless you site listed on the browser HSTS list.
If a user agent does not understand HSTS, then it will not help at all. Further, HSTS is a "trust on first use" feature. Meaning that if the user agent has no HSTS record for a domain and relies on a redirect to HTTPS, the user agent has no choice but to trust that. HSTS preloading is meant to address that problem, where a domain is always fixed as "yes" for HSTS.
If I have a server that only get requests from libcurl do I need to support HSTS? Will it have any meaning? Does libcurl also supports HSTS and will works only with https sites after receiving this param from the server?
Using libcurl by itself with HSTS has no direct benefit. libcurl does not keep a record of known HSTS hosts. A developer that uses libcurl could develop HSTS on top of libcurl, but today libcurl does not do that by itself.
