I've been running a few tests progressively fixing various issues and now I'm getting an "Error: Site down" error however I am still able to access my website over HTTP and HTTPS on my browser.
On the plus side, there are sites doing really well, like GitHub (A+), HackerOne (A+), and Twitter (A). Even Facebook is doing pretty well, with a B. Hopefully sites like the Observatory help sites do better.
We're working really hard on getting mozilla.org to the point where it also gets an A+.
It also has an invalid website certificate. Kind of a shame that it's so neglected, but it's a pretty good example of what happens to sites when they're allowed to sit for too long.
I was under the impression it was recently updated for the 25th anniversary. However, I can understand not adding "security" in the name of preservation. Real shame.
I find it interesting (and a bit disappointing) that while github.com gets an A, a static page I host on github pages received an F. Would be great if Github would help pages hosted there be more secure by default.
Which of the security tests performed by this tool do you feel have a significant impact on a static page?
Some of these things, such as subresource integrity, will be down to you and what you do with the code. Many of these tests have very little baring on how 'secure' a static page is.