add HTTP Feature-Policy header to disable all unused browser APIs
https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy
This site needs hardly any JS features, so disable them. There is no way to set the default to none yet, once that is available, this should switch to a simple "default 'none';" https://github.com/w3c/webappsec-feature-policy/issues/189
This scanner which I found via Mozilla Observatory recommends them: https://securityheaders.com/?q=https%3A%2F%2Ff-droid.org%2F
Edited by Hans-Christoph Steiner