My point is, the service simply hosts HTML, ostensibly this is the same as any consumer web host. So whatever attack vector you can think of exists on Dreamhost or Godaddy pages, for instance.
I understand, but you can't have it both ways: You can either build a minimal Twitter clone that limits user-submitted content and not worry too much about security/abuse, or you can build a web host. The latter entails a comparatively enormous amount of responsibility you don't seem keen to take on.
I have worked for companies that offered commercial web host services and it is a massive security undertaking. I'm still not 100% convinced it's possible to offer a profitable, truly secure web host without compromising on feature set.
- You have no CSP header that I can see.
- You do expose the server version in the headers, though.
- The site is available at a non-SSL-secured domain.
- There's no X-Frame-Options, X-Permitted-Cross-Domain-Policies, etc.