I just noticed that the website sends the strict-transport-security header, which is a very good idea, but it also sets the max age to 0 seconds, meaning it expires immediately and is completely ineffective.

You should rather set the max age to half a year or something. While you're at it, enable preloading and get the domain added to the preload list, no harm in that. It's not like you're ever gonna be unable to renew your certificate.

It seems intentional to some degree, as with cloudflare you have to specifically configure HSTS to both be on and to use 0. The why isn't something any of us can really answer.