I was recently setting up a new Joomla plugin for HTTP headers on my website and discovered that your website still does not use this plugin.
Here is the link to check and add website to force download via HTTPS (HSTS) -
hstspreload.org/
here is the link to check all HTTP-headers -
securityheaders.com/
and here is the link to create CSP settings -
report-uri.com/home/generate
I still haven't made CSP settings for my website (third tab of the Joomla HTTP Headers plugin), but I have done all the other settings and it works great.