Current state (2026-05-19): Zone HSTS is active with max-age=15552000 (180 days / 6 months) + includeSubDomains + preload.
Confirmed via curl -I https://ronnieops.dev:
strict-transport-security: max-age=15552000; includeSubDomains; preload
Location: Cloudflare Dashboard → SSL/TLS → Edge Certificates → HSTS
The Worker in src/entry.js sets max-age=63072000 (2 years) as defense-in-depth, but the zone-level setting takes precedence.
Update (2026-05-19): CSP has migrated from static SHA256 hashes to per-request nonce-based CSP. The Worker now generates a cryptographic nonce for each request and injects it into all
<script>tags. Seesrc/entry.jsfor details.