Improve badssl.com's Security Headers score

[Kenneth-Barber]

To keep users of badssl.com as safe as possible, please improve badssl.com's Security Headers score as much as possible without violating the intention of or breaking the functionality of badssl.com. https://securityheaders.com/?q=https%3A%2F%2Fbadssl.com%2F

[christhompson]

Thanks for filing a bug. Are there specific headers you think BadSSL.com should use? I'm not sure any of these are relevant for us.

[Kenneth-Barber]

I'd like to think that at least X-Frame-Options, Referrer-Policy, and Permissions-Policy are relevant to badssl.com. I know that Strict-Transport-Security will probably not be implemented site-wide since HSTS is one of the scenarios presented on badssl.com.

[christhompson]

Hmm thinking about each of these:

• X-Frame-Options: We don't really care if anyone frames us. There shouldn't be any phishing or clickjacking risk on any badssl.com pages, and no user data should be involved.
• Referrer-Policy: We could maybe opt-in to no-referrer here?
• Permissions-Policy: I'm not sure we want to enumerate features required for the site (I think if I added it to the server it would essentially be a wildcard policy anyway), and we don't pull in third-party scripts that we'd need to be worried about. The motivating cases listed in the spec's introduction don't seem like they apply here to me.