add HTTP Content Security Policy (CSP)
The HTTP Content Security Policy can remove lots of the attack surface of a website. It is also one of this things that where you can get a letter grade from a reputable scanner. So security-conscious people pay more attention to that specific detail since it is easy to quickly scan. Repomaker right now seems to have no CSP setup. I think repomaker should start out by putting a very safe, easy CSP so it has something. That'll then lay the groundwork for locking it down.
Here's f-droid.org's for an example of full lockdown: .htaccess. Removing support for things that Repomaker is not using at all is one easy step (e.g. object, frames, etc.). The next easiest is locking down other sources to self. For script-src and style-src, including unsafe-inline is probably necessary to start with. Something like:
Header always set Content-Security-Policy: "\
default-src 'self'; \
\
block-all-mixed-content; \
img-src 'https:'; \
media-src 'https:'; \
object-src 'none'; \
script-src 'self' 'unsafe-inline'; \
style-src 'self' 'unsafe-inline'; \
"