Does Android WebView support HSTS?
Yes, second this website: http://caniuse.com/#search=hsts since android 4.4
Main changes:
Certificate pinning
Trusted CA's
Add CA's to debug
Limit CA's
Add CA's hierarchy...
But the most important thing will be enabled on the new android N in an res/xml/network_security_config.xml like this:
https://koz.io/network-security-policy-configuration-for-android-apps/
<domain-config hstsEnforced=[True|False] cleartextTrafficPermitted=[True|False]>
<domain includeSubdomains=[True|False]>koz.io</domain>
<pin-set expiration="exp-date">
<pin digest=sha256>PaJOmDNhWkVBvuXfzqXMyfo7kgtGpcyZp6L8EqvM8Ck=</pin>
</pin-set>
This is the official documentation from google: https://developer.android.com/training/articles/security-config.html