And especially when that site is government sponsert by a government who has been inept and incompetent to even manage basic IT infrastructure. I know cause i used to work them.
YUP METOO about Government working for and,, also as custommer , and worse some shouting with compliant tests / cerst from PWC and co who are failing very badly ....
UH Germany for those government and co are way behind.
It is also seemly normal that government and co hospitals and co are hacked by some because lack of not only knowledge but also real enough people knowing what they do, the good guys BURNOUT or worse there.
Still for offtopic it gives a overview and with that very handy, i try to score there above 70 then depending for what those sites / server / mail are to a 100 % for setting up newer servers , why the try to get near 100% with newer simple you have to do some work setting up stuff then better do it as much compliant from the start and not later when needed safe some hours.
Also then the HSTS redirects and SSL and Alliases has to be ok if configs and setup and control panel and and are good then you all safe some time if someone want that part compliant to some specs. SPECS ..
For all here on this FORUM and Directadmin CP it is important where to find all those settings with some HOWTO's , and CP parts should not interfering with "good" settings/confs
For compressing you can use BROTLI .
I did had some phone and mail contacts with these guys, they are trying todo a good job there, but if some government themselves decide to have bad security it is hmmmm
https://english.ncsc.nl/publication...y-guidelines-for-transport-layer-security-tls
Such guidelines are important as they have in Germany (BSI) and USA (NIST) to . Decide which parts are needed depending on the stuff you or client does. ( HEALTH related DATA from persone should be so secure as possible! for example)
one fits all is wrong aproach, but if choosen 100% safest and compliant ok you mostly don't do anything wrong, if not you have to keep in mind is it needed for that purpose...
BAD is to score a A or APLUS at SSLLAB , but forcing with server settings clients first to the weak key's encryption so wrong order in server config, then still keep saying everything is 100% and we are Certified by .... , not reading any real results and guidelines as they suposed to be fore.
It took more then 6 Months to have such ......... for those guys and some are even don't want to have server order right for that , so a example how this part is so wrong of SSLlabs score overview.