@stefano Latest security review flagged a “.dev” site for not sending an HSTS header.

That TLD is in all browsers’ https pre-loaded list…