We have specifically set a rule to block all headers for sites managed by @david.kassa as a matter of principle.
It appears in your first test link we are getting a 525 error trying to communicate with the origin over SSL and so no headers from the origin are available to be returned.
Yeah, it’s odd - I had a CSP error that I fixed (whoops). Now the primary (www) works in full but the naked url still gives the 525. If I move it to Flexible the naked URL works but I’m still not getting my security headers in either case. It feels like a Netlify issue but still looking.