 tomreyn: I've done some of those patches there for the lubuntu.me site.  HSTS is something I do *not* implement until Im sure we have full HTTPS everywhere because that breaks a lot of stuff, esp. when we're still staging sites that use LE certs
 (can't connect to HSTS enabled site when it has a selfsigned to begin with!)
 (it breaks LE's connector too!)