I noticed a change in my local config during my last ikiwiki-hosting upgrade: I had enabled HSTS in my local apache template, to prevent downgrade attacks in cases where HTTP to HTTPS redirection is enabled.
The patch is trivial, and I encourage you to merge it from my hsts branch. I used an arbitrary 6-month delay, but would welcome comments on better policies... This was a key part in getting my site a better score on the Mozilla SSL Observatory. I made other changes at the global level on the server configuration, but this one is vhost-specific, so I had to roll it out in the Apache template. With the changes, I was able to move from a D- score to A-.
Thanks! --anarcat