Yes, that’s the one.
Back through forum posts, I’ve no reason to doubt that Anvil uses HSTS as part of the security model.
But whenever I run a check, say on security headers or in a security scan, the advisory is there in bold red.
What I can’t work out is how to set the header in Anvil itself to solve the problem.