Here are some things mentioned in our talk "Privacy and the Web – are you doing what it takes?" at WordCamp Europe in Vienna, June 25, 2016.
Get your certificates from Let's Encrypt. Free, easy, automated.
Turn on HSTS (HTTP Strict Transport Security) after first making sure that everything works fine.
Use Qualys' SSL Server Test to check your setup.
The HTTPS-Only Standard has excellent explanations and advice about HTTPS, HSTS, certificates, etc.
Use Referrer Policy to apply a certain policy to all links at once as well as other requests generated by a page (e.g. external CSS, JS, images). Add this to your page head to kill referrers completely:
<meta name="referrer" content="never">
Still a W3C draft, but it is supported by latest Firefox, Chrome and Safari, as well as Microsoft Edge. (
no-referrer is the preferred keyword but Edge only supports the legacy
never keyword last time we checked).
same-origin policy was recently added and makes it possible to send referrers only when making same-origin requests; however it might take a little time for browser support.
Content Security Policy and other headers
Analyze and build CSP: https://report-uri.io/
Check your website for headers that are good for security: https://securityheaders.io/
Google Analytics alternative: Piwik
Piwik is a free (GPLv3) analytics platform. PHP + MySQL.
Self-host Google Fonts - use one of the following to get fonts in all formats with proper CSS:
Social media buttons & font icons
Official like/share buttons let others track your visitors. Use locally hosted images/fonts, like Font Awesome.
If you need to show number of shares, use a two-click solution (user needs to click to activate) - such as Social Share Privacy - or let your server fetch the data periodically. Same with e.g. embedded Tweets.
IcoMoon App makes it possible to create custom, optimized icon fonts with only the icons you want. It generates an archive with all the files and CSS necessary for self-hosting.
If you don't want to use the built-in comment system of your CMS (or if it has none), you can run self-hosted Disqus-like software:
Google Maps alternatives
See https://github.com/Kickball/awesome-selfhosted for a massive list of "Free Software network services and web applications which can be hosted locally".