Lawrence, thanks for posting the "Inherently Insecure" article. The article inspired me to use a TOR browser and get DuckDuckGo to search for information on what they referred to as a "security hardened website". I was thinking there might be an ISO specification on security hardening of websites and I could contemplate parting with 118 Swiss Francs to buy the pdf and download it. i.e. Something Like this<https://www.iso.org/standard/72029.html>. One of the web-sites that came up in the search is www.serverhardening.com. However when I try to make a secure HTTPS connection to this website my browser reports "Your connection is not secure". The advanced information reveals: www.serverhardening.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name www.serverhardening.com. The certificate expired on 21 November 2018, 9:31 PM. If I take the risk and connect with just http, then their web-site has a section on "Server Hardening Tips & Tricks:" and the first bullet point in this section states, "- Use Data Encryption for your Communications". Looking through their 30 bullet points I didn't see any hardening recommendations on the use of javascript on websites. I looked at the source code of their web-page and saw they use javascript, so I guess javascript is all OK. Feel free to take the risk and check out this one page website at http://www.serverhardening.com ...30 bullet points is a little short for an ISO specification, but it is free ;-) cheers, Ian.