Content Security Policy (CSP) implemented, but secure site allows resources to be loaded over HTTP

Load resources over HTTPS and remove any HTTP sources from your CSP.

Strict-Transport-Security header set to less than six months (15768000).

Increase HSTS period.

Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS.

Add SRI to external scripts.