• Widgets
  • Reports
  • Pricing
  • FAQs
  • Sign up for a free trial!

Website Best Practices Audits

Does not use HTTPS

All sites should be protected with HTTPS, even ones that don't handle sensitive data. This includes avoiding mixed content, where some resources are loaded over HTTP despite the initial request being servedover HTTPS. HTTPS prevents intruders from tampering with or passively listening in on the communications between your app and your users, and is a prerequisite for HTTP/2 and many new web platform APIs. Learn more.

Links to cross-origin destinations are unsafe

Add rel="noopener" or rel="noreferrer" to any external links to improve performance and prevent security vulnerabilities. Learn more.

Requests the geolocation permission on page load

Users are mistrustful of or confused by sites that request their location without context. Consider tying the request to a user action instead. Learn more.

Requests the notification permission on page load

Users are mistrustful of or confused by sites that request to send notifications without context. Consider tying the request to user gestures instead. Learn more.

Includes front-end JavaScript libraries with known security vulnerabilities

Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.

Prevents users to paste into password fields

Preventing password pasting undermines good security policy. Learn more.

Displays images with incorrect aspect ratio

Image display dimensions should match natural aspect ratio. Learn more.

Serves images with low resolution

Image natural dimensions should be proportional to the display size and the pixel ratio to maximize image clarity. Learn more.

Fonts with `font-display: optional` are not preloaded

Preload optional fonts so first-time visitors may use them. Learn More

Page has the HTML doctype

Specifying a doctype prevents the browser from switching to quirks-mode. Learn more.

Charset declaration is missing or occurs too late in the HTML

A character encoding declaration is required. It can be done with a <meta> tag in the first 1024 bytes of the HTML or in the Content-Type HTTP response header. Learn more.

Registers an `unload` listener

The unload event does not fire reliably and listening for it can prevent browser optimizations like the Back-Forward Cache. Consider using the pagehide or visibilitychange events instead. Learn More

Uses Application Cache

Application Cache is deprecated. Learn more.

Detected JavaScript libraries

All front-end JavaScript libraries detected on the page. Learn more.

Uses deprecated APIs

Deprecated APIs will eventually be removed from the browser. Learn more.

Browser errors were logged to the console

Errors logged to the console indicate unresolved problems. They can come from network request failures and other browser concerns. Learn more

Page has valid source maps

Source maps translate minified code to the original source code. This helps developers debug in production. In addition, Lighthouse is able to provide further insights. Consider deploying source maps to take advantage of these benefits. Learn more.


  • hello@webreports.io
  • Live chat

For customers