Hardenize and support best security practice available
Website can be improved to use better security features, While is not extremely bad now but it can be configured better:
we see in TLS:
- Still supporting tls 1.0 , 1.1 while it has been deprecated since more than a year.
- Weak ciphers used for tls 1.2
- No HSTS for subdomains
we see in Headers:
- Missing Permissions-Policy
- Content-Security-Policy contains 'unsafe-inline' which is dangerous in the style-src directive.
- Missing object-src , require-trusted-types-for
- Wrong/Missing config: value must be "1; mode=block" not just 1
To see some good websites check these: