Implement modern web security standards

[randomhydrosol]

The following security features aren't implemented for the website and should be: HTTP strict transport security (HSTS) with preloading Strong CSP Security headers: x-content-type-options x-frame-options Explicitly disable xss auditor

[masterflitzer]

just some minor considerations:

• x-frame-options is obsoleted by the frame-ancestors directive in CSP (see)
• x-xss-protection should absolutely not be used anymore, even explicitly disabling it can create vulnerabilities in legacy browsers and it doesn't do anything in modern browsers because support has been removed, the alternative is to not allow unsafe-inline in CSP (see)

so i'd remove this from your comment:

x-frame-options Explicitly disable xss auditor