Both tests consist of many details and some points might look still improvable but verifying the things a bit more I discovered that some incompatibilities mentioned on the first testpage are related to old standards.
So the tests related to HIPAA and NIST Guidlines recommend still old chiper codes which I can't serve because the new OpenSSL-Version never includes these chipers anymore.
This "A" was still improved by the following two steps:
- Some restrictions concerning Scripts in the content: they can't be embedded directly anymore but have to be included with separated files. So script-files can be secured additional with file-rights and injecting script-code directly inside any page on client-side is not possible anymore.
After outsourcing a few script for social-buttons for facebook and twitter the restrictions could be increased.
- As the CMS TYPO3 doesn't work with this restriction the backend was moved to another domain. Settings for this domain have to be less restrictive like before for the whole site but like that the backend could be secured easy with an additional second password and security is not only more safe in the statistics but also by steps that are not measured in the tests.
The old value for the first test has been B and the old value for the second test F.
So by changing a few technical details the site is much safer now, and without too much worries customer accounts and forms i.e. contact-form can be implemented now.