I pointed out to Nuno that similarworlds.com should supply additional headers in their HTTP response. He took my advice and in 24 hours or less, it's been implemented!
Just a quick note on your current headers: Your web front-end is advertising to the world that it's running Apache. Also, I know that the Content-Security-Policy header is a real pain to implement as you could potentially break the site, but IMO, that'd be pretty awesome to get working. Public key pinning would be nice too, does LetsEncrypt allow more than one cert to be issued to the same domain?
