This gives my website a C (50 / 100) because:<p>Content Security Policy (CSP) −25<p>X-Content-Type-Options −5<p>X-Frame-Options −20<p>Yet it's just a simple static website without scripts, cookies or any other dynamic content. If you need to specficy whatever random heades WHATWG comes up with each year for a static site to be secure then the problem is the browser not the website.<p>X-Content-Type-Options is in particular is 100% about browsers ignoring the spec and then making you set another header asking them to please reconsider.<p>Referer is another thing that should be 100% fixed on the browser side instead of each website asking the browser to please not leak information to other websites.<p>Then when you look at the scoring criteria [0] you see it even avards bonus points for setting cookies and using scripts as long as you do it in the currently fashionable way comapared to not using cookies/scripts at all. This is absolutely the wrong way around.<p>[0] <a href="https://developer.mozilla.org/en-US/observatory/docs/tests_and_scoring" rel="nofollow">https://developer.mozilla.org/en-US/observatory/docs/tests_a...</a>