Mark Dain
@lucian: Glad to see the rating on securityheaders has gone up from D to B! Nicely done! I did notice the HSTS header contains a preload tag; I did try submitting Sublevel for inclusion in Chromium's list here hstspreload.appspo... but they mandate the includeSubdomains token. Is it possible add this?
Mark Dain
HTTP/2 helps a lot as it compresses headers. I haven't noticed a drop in performance but the site should be far more secure now! The only other thing I noticed is cookies aren't set for the www subdomain so I see the login page; for this you could setup a redirect so nobody uses www.