Update:
I've done a few server setting changes to the previous changes that were done to secure the site further. I realise that a couple of those older changes were likely involved in some elements of posting error (like getting a 403 message instead of being able to access the site etc). So they've been disabled until I bullet-proof them to work properly. Hopefully this should mean that some people that had issues, will have less issues.
I also removed a method used in HSTS, whereby the website would first resolve the domain.tld to HTTPS then add the subdomain on with an extra resolution. (It basically meant that any access to the site using http://domain.tld was going through two redirects). Now it just goes through the one to elevate HTTP to HTTPS (Which isn't inline with HSTS, however I decided not to use HSTS because while it does potentially add to security, it can also add to configuration errors.)..
I've done a few server setting changes to the previous changes that were done to secure the site further. I realise that a couple of those older changes were likely involved in some elements of posting error (like getting a 403 message instead of being able to access the site etc). So they've been disabled until I bullet-proof them to work properly. Hopefully this should mean that some people that had issues, will have less issues.
I also removed a method used in HSTS, whereby the website would first resolve the domain.tld to HTTPS then add the subdomain on with an extra resolution. (It basically meant that any access to the site using http://domain.tld was going through two redirects). Now it just goes through the one to elevate HTTP to HTTPS (Which isn't inline with HSTS, however I decided not to use HSTS because while it does potentially add to security, it can also add to configuration errors.)..