It would be nice to have some security headers: https://securityheaders.io/?q=https%3A%2F%2Fgethttpsforfree.com%2F
Especially a CSP could be very helpful here, as you can very strictly limit the JS use. However you may have to rewrite a few JS parts to be CPS-compatible (to not have to allow insecure-eval).
Also have a look at report-uri where you can collect CPS and HPKP violation reports.
As for HPKP please be cautious with the LE client. You might want to follow this best practises.
It would be nice to have some security headers: https://securityheaders.io/?q=https%3A%2F%2Fgethttpsforfree.com%2F
Especially a CSP could be very helpful here, as you can very strictly limit the JS use. However you may have to rewrite a few JS parts to be CPS-compatible (to not have to allow
insecure-eval).Also have a look at report-uri where you can collect CPS and HPKP violation reports.
As for HPKP please be cautious with the LE client. You might want to follow this best practises.