Mark Dain @lucian: Glad to see the rating on securityheaders has gone up from D to B! Nicely done! I did notice the HSTS header contains a preload tag; I did try submitting Sublevel for inclusion in Chromium's list here hstspreload.appspo... but they mandate the includeSubdomains token. Is it possible add this?

🏒 Lucian Marin I did change the headers, but I'm not sure this is the right thing to do. The bigger the headers, the slower performance will be.

Mark Dain HTTP/2 helps a lot as it compresses headers. I haven't noticed a drop in performance but the site should be far more secure now! The only other thing I noticed is cookies aren't set for the www subdomain so I see the login page; for this you could setup a redirect so nobody uses www.