It seems like I accidentally broke something during the last update. The reports missing HSTS no longer rendered in some browsers, and CSP would be shown enabled on all reports (assuming the report was showing up in the first place). Those issues are now fixed.
I have added some information about the HTTPS certificate and the IP under the request log:
Unfortunately websites that use Cloudflare and other similar proxy services will always show the same country (most likely the US) since those providers use Anycast to route their IPs to different locations close to the client's location, and the location of the origin server location behind the scenes can't be easily guessed.
The hope with certificate information was to more easily identify what's going wrong when a certificate is invalid, but most self-signed certificates seem to not have any "issuer" data at all, so it's not that useful. I unfortunately don't have access to the full certificate but only some information that CURL outputs during its certificate validation. I don't want to make any additional requests just to download the full certificate for now. I'll see whether I can export the raw certificate out of CURL somehow but I didn't find any solution that could be implemented as a Guzzle plugin.
