@stefano Latest security review flagged a “.dev” site for not sending an HSTS header.
That TLD is in all browsers’ https pre-loaded list…