Here are some things mentioned in our talk "Data protection for websites made simple" at FSCONS in Gothenburg, Sweden, on November 8 2015.

Download slides

See also "Why data protection?" and "Recent reports" on the page about our earlier DrupalCamp Baltics talk.


Use HTTPS, always. Standard certificates are now < 10 EUR/year. Let's Encrypt will soon make them free.

Turn on HSTS (HTTP Strict Transport Security) after first making sure that everything works fine.

Note that HTTPS doesn't offer perfect privacy - it might still be possible to determine what page you're looking at through traffic analysis. But it's a whole lot better than using HTTP.

Use Qualys' SSL Server Test to check your setup.


rel="noreferrer" can be used on links to avoid leaking referrer information. Supported by Firefox since version 33 and by WebKit (Chrome, Safari) since November 2009, as well as by Microsoft Edge in Windows 10.

However, a much superior option is Referrer Policy which lets you apply a certain policy to all links in one fell swoop as well as other requests generated by a page (e.g. external CSS, JS, images). Add this to your page head:

<meta name="referrer" content="never">

Still a W3C draft, but it is supported by latest Firefox, Chrome and Safari, as well as Microsoft Edge. (no-referrer is the preferred keyword but Edge only supports the legacy never keyword last time we checked).

Google Analytics alternative: Piwik

Piwik is a free (GPLv3) analytics platform. PHP + MySQL.

Make sure you anonymize visitor IP addresses and disable cookies. See Configure Privacy Settings in Piwik and How do I disable all cookies for a visitor?.

There's a WordPress plugin (adds Piwik stats to dashboard) and a Drupal module.

Web fonts

Self-host Google Fonts - use one of the following to get fonts in all formats with proper CSS:

Social media buttons

Official like/share buttons let others track your visitors. Use locally hosted images/fonts, like Font Awesome.

If you need to show number of shares, use a two-click solution (user needs to click to activate) - such as Social Share Privacy - or let your server fetch the data periodically. Same with e.g. embedded Tweets.

Disqus alternatives

If you don't want to use the built-in comment system of your CMS (or if it has none), you can run self-hosted Disqus-like software:

Or use e.g. Discourse  -- there's a WordPress plugin and Discourse now also lets you embed comments via JavaScript.