This is not only a simple HTML website, I also host my email under this domain. A personal homepage, nothing work-related. All services were provided by the webhost.
the failed tests:
Content Security Policy (CSP) header not implemented
HTTP Strict Transport Security (HSTS) header not implemented
Does not redirect to an HTTPS site
X-Content-Type-Options header not implemented
X-Frame-Options (XFO) header not implemented
X-XSS-Protection header not implemented
Is this the level of security I can expect from a well-known webhosting service in my country? Is it viable for a motivated attacker to access my email (and potentially take over)?
I could have fixed at least the HTTPS-redirection myself, but I'd prefer that the hosting company sets a basic level of security for all customers.