It's the same as before, clerk.dev does not have it and dashboard.clerk.dev had HSTS when I checked first too. HSTS is sorta irrelevant for .dev though since all of .dev is on the preload list in major browsers. I'd be more worried about the third party JS without SRI. Especially since including third party JS is an active choice while not having headers is an inactive one.