Great checklist. One recommendation - the checklist page has a lot of CORS policy violation and unsecure end points errors/warnings. Being that this list, and your company represent a security product, these errors undermine the credibility a little.

Those are CSP violations not CORS violations.

There are different levels of maturity with your security headers, and Sqreen's cookies are scoped to a completely different subdomain my.sqreen.io versus www.sqreen.io. It looks to me like they are doing everything right.

There is no shame in having your CSP header in Report Only. It's complicated to manage your assets, especially when using a tag manager where it's not obvious what the hell the URI/hosts are that will be loaded.

Nice site design. Will try it out. Seeing a lot of the water color images you used on your homepage lately. Twist uses some too. Is there a standard site /designer who makes these?

Compared to here in Minnesota, those roads look very clean - no drifting snow, no dry salt lines, no black ice.