Lawrence, thanks for posting the "Inherently Insecure" article.

The article inspired me to use a TOR browser and get DuckDuckGo to search for information on what they referred to as a "security hardened website". I was thinking there might be an ISO specification on security hardening of websites and I could contemplate parting with 118 Swiss Francs to buy the pdf and download it. i.e. Something Like this.

One of the web-sites that came up in the search is

However when I try to make a secure HTTPS connection to this website my browser reports "Your connection is not secure". The advanced information reveals: uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is not valid for the name
The certificate expired on 21 November 2018, 9:31 PM.

If I take the risk and connect with just http, then their web-site has a section on "Server Hardening Tips & Tricks:" and the first bullet point in this section states, "- Use Data Encryption for your Communications".

Looking through their 30 bullet points I didn't see any hardening recommendations on the use of javascript on websites. I looked at the source code of their web-page and saw they use javascript, so I guess javascript is all OK.

Feel free to take the risk and check out this one page website at  ...30 bullet points is a little short for an ISO specification, but it is free ;-)

cheers, Ian.