Visiting https://tracker.pureos.net/ return the following header:

Strict-Transport-Security: max-age=0; includeSubdomains; preload

which delete the HSTS entry if used before, cause "security.strict-transport-security" option is turned off, see:
https://secure.phabricator.com/T7777

more information about HSTS and why it's important:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

fix:
Enable "security.strict-transport-security" option in configuration.