Cool tool, I'm also surprised by how different the startup stacks are from the general Internet.

For HSTS, don't forget to check the preload list. Domains under .dev are all preloaded, for example, so they don't need to set the header for HSTS to apply.