Jokes on them, JavaScript won’t do shit if your target audience is not using a browser to render content. I got a site that renders in a terminal, much like wttr.in, ifconfig.co, etc.
Some of the points are good, and some otherwise. (I enable referrer spoofing in my browser, so following the link from here works fine) I think "Users must keep themselves safe" is good. (Software can help at that, but it should not do so by forcing stuff onto the user; it should do so by giving the user control over it; with enough ropes to hang yourself and also a few more just in case, and documentation should be included so that the user can know how to work the software properly rather than wrongly.) The text they quote says "The only reason you should open port 80 on your server is to redirect all requests to port 443 and then close the connection on port 80." and that is wrong. You can serve the same stuff on both; no need to redirect either one to the other. (HSTS isn't so good either, mainly due to the "no user recourse" feature, and some of its other features; if it was limited to denoting that all content is available over HTTPS, then it would be acceptable.) Of course, you can also serve Gopher and whatever other services you might want; you need not be limited to HTTP and HTTPS. I did not know about "TLS 1.3 and HTTP/2 have padding frames to inflate the size of the ciphertext.", but it is good that TLS supports such a feature, whether HTTPS or any other protocol that uses TLS. (In the case of HTTPS, even if it didn't do that, you could perhaps add a "X-Padding" header to include worthless data, but other protocols that use TLS might not do that.) If you don't need JavaScripts on your webpages (and in most cases you shouldn't), you might write something like document.write("<P><STRONG>Please disable JavaScript for an improved experience</STRONG></P>") to notify the user; this can be done whether the connection is secure or not. If the connection is secure that only means that third parties aren't tampering with it, not that the author of the webpage isn't malicious! I often just serve plain text files anyways, rather than HTML (you can use it without needing to load the web browser). It uses HTML for directory listings; I designed another format for HTTP directory listings but I don't know how to make Apache to serve directory listings in my format based on the contents of the Accept header (or at all, actually). I have Gopher as well as HTTP service, and also NNTP and some others too.