Here are some things mentioned in our talk "Privacy and the Web – are you doing what it takes?" at WordCamp Europe in Vienna, June 25, 2016.

Download slides

Webbkoll - check your website (code)

Analysis of Swedish municipality websites (code)

HTTPS

Get your certificates from Let's Encrypt. Free, easy, automated.

Turn on HSTS (HTTP Strict Transport Security) after first making sure that everything works fine.

Use Qualys' SSL Server Test to check your setup.

The HTTPS-Only Standard has excellent explanations and advice about HTTPS, HSTS, certificates, etc.

Referrers

Use Referrer Policy to apply a certain policy to all links at once as well as other requests generated by a page (e.g. external CSS, JS, images). Add this to your page head to kill referrers completely:

<meta name="referrer" content="never">

Still a W3C draft, but it is supported by latest Firefox, Chrome and Safari, as well as Microsoft Edge. (no-referrer is the preferred keyword but Edge only supports the legacy never keyword last time we checked).

The same-origin policy was recently added and makes it possible to send referrers only when making same-origin requests; however it might take a little time for browser support.

Content Security Policy and other headers

Analyze and build CSP: https://report-uri.io/

Check your website for headers that are good for security: https://securityheaders.io/

Google Analytics alternative: Piwik

Piwik is a free (GPLv3) analytics platform. PHP + MySQL.

Make sure you anonymize visitor IP addresses and disable cookies. See Configure Privacy Settings in Piwik and How do I disable all cookies for a visitor?.

There's a WordPress plugin (adds Piwik stats to dashboard) and a Drupal module.

Web fonts

Self-host Google Fonts - use one of the following to get fonts in all formats with proper CSS:

Social media buttons & font icons

Official like/share buttons let others track your visitors. Use locally hosted images/fonts, like Font Awesome.

If you need to show number of shares, use a two-click solution (user needs to click to activate) - such as Social Share Privacy - or let your server fetch the data periodically. Same with e.g. embedded Tweets.

IcoMoon App makes it possible to create custom, optimized icon fonts with only the icons you want. It generates an archive with all the files and CSS necessary for self-hosting.

Disqus alternatives

If you don't want to use the built-in comment system of your CMS (or if it has none), you can run self-hosted Disqus-like software:

Or use e.g. Discourse  -- there's a WordPress plugin and Discourse also lets you embed comments via JavaScript.

Google Maps alternatives

See https://switch2osm.org/ and https://umap.openstreetmap.fr/en/ for ways to avoid Google Maps.

More self-hosting

See https://github.com/Kickball/awesome-selfhosted for a massive list of "Free Software network services and web applications which can be hosted locally".