Knowledge Base.
In-depth reference for all 84 checks across 4 categories. Each page explains what the check tests, why it matters, who is affected, and how to fix it.
Security 27 checks
Headers & TLS Config
HSTS Forces HTTPS-only connections — prevents protocol downgrade attacks CSP Controls which scripts can run — primary defense against XSS injection X-Frame-Options Prevents your site from being embedded in malicious iframes (clickjacking) X-Content-Type-Options Stops browsers from guessing file types — prevents MIME-sniffing attacks Referrer-Policy Controls what URL data is leaked to third-party sites when users click links Permissions-Policy Blocks third-party scripts from accessing camera, microphone, geolocation Server Disclosure Exposed server version helps attackers target known vulnerabilities HTTPS Redirect HTTP traffic should redirect to HTTPS — otherwise data is sent in plain text Cookie HttpOnly Prevents JavaScript from reading cookies — blocks XSS session theft Cookie Secure Ensures cookies are only sent over HTTPS — prevents network interception Cookie SameSite Prevents cookies from being sent with cross-site requests — blocks CSRF attacks CORS Configuration Misconfigured CORS can let any website read your API responses
Sensitive File Exposure
.env Exposure Environment files contain database credentials and API keys — must not be public .git Config Exposure Exposed Git config lets attackers discover repo structure and remote URLs .git HEAD Exposure Confirms the entire .git directory may be downloadable — full source code leak WordPress Admin Publicly accessible wp-admin is a common brute force target Admin Panel Exposure Publicly accessible admin panels are prime targets for brute force attacks .DS_Store Exposure macOS .DS_Store files reveal directory structure and file names Server Status Page Apache server-status reveals active connections, request URLs, and client IPs Directory Listing Reveals your file structure to attackers — shows what to target robots.txt Analysis Disallow entries can inadvertently reveal sensitive paths to attackers security.txt Check security.txt enables responsible disclosure — good practice for vulnerability reports
Client-Side Security
Vulnerable JS Libraries Outdated JavaScript libraries with known CVEs can be exploited remotely Missing SRI Without Subresource Integrity, compromised CDNs can inject malicious scripts Mixed Content Loading HTTP resources on HTTPS pages weakens encryption and triggers browser warnings Insecure Form Actions Forms submitting to HTTP endpoints expose user data in transit Deprecated APIs Deprecated browser APIs may be removed — breaking functionality without warning
Performance 34 checks
Core Web Vitals & Page Load
Largest Contentful Paint (LCP) How fast the main content loads — Google ranking factor, target <= 2.5s Cumulative Layout Shift (CLS) How much the page jumps around while loading — Google ranking factor, target <= 0.1 Total Blocking Time (TBT) How long the page is frozen and unresponsive — target <= 200ms First Contentful Paint (FCP) Time until the first text or image appears — target <= 1.8s Speed Index How quickly content is visually populated — lower is better Time to Interactive (TTI) When the page becomes fully interactive — target <= 3.8s Time to First Byte (TTFB) Server response time — slow TTFB delays everything else Redirects Each redirect adds 100-500ms of latency — minimize redirect chains Render-Blocking Resources CSS/JS that blocks page rendering — defer or inline critical resources Unused JavaScript JavaScript that's downloaded but never executed — wastes bandwidth Unused CSS CSS rules that don't match any element — increases parse time Image Optimization Unoptimized images are the #1 cause of slow page loads Text Compression Gzip/Brotli compression can reduce transfer size by 70-90% Minified JS/CSS Unminified code wastes bytes — minification is free performance Modern Image Formats WebP/AVIF are 25-50% smaller than JPEG/PNG with same quality Efficient Animated Content Animated GIFs are huge — use video formats for 80%+ size reduction Third-Party Script Impact Third-party scripts (analytics, ads, widgets) can dominate load time Third-Party Facades Lazy-load third-party embeds (YouTube, maps) until user interacts JS Execution Time Heavy JavaScript execution blocks the main thread — keep it under 3.5s Main Thread Work Total main thread activity — parsing, compiling, painting. Keep under 4s
Asset Optimization
Total Page Weight Total bytes downloaded — lighter pages load faster on all networks Cache Policy Long cache TTLs prevent re-downloading unchanged assets Offscreen Images Images below the fold should lazy-load — don't waste bandwidth on hidden content Font Display font-display: swap prevents invisible text while custom fonts load Preload Key Requests Preloading critical resources starts downloads earlier Preconnect to Origins Early DNS/TLS handshakes to third-party origins save 100-300ms
Best Practices
HTTPS HTTP/2 and HTTP/3 require HTTPS — faster multiplexed connections No Vulnerable Libraries Outdated libraries with known CVEs — security and stability risk CSP XSS Effective Content Security Policy effectiveness against cross-site scripting No Console Errors JavaScript errors indicate broken functionality that affects users No Deprecations Deprecated APIs may break in future browser versions Valid Source Maps Source maps help debug production issues — invalid ones waste bandwidth Charset Declared Missing charset can cause text rendering issues across browsers Doctype Present Missing doctype triggers quirks mode — inconsistent rendering across browsers
Accessibility 12 checks
WCAG 2.1/2.2 Automated Compliance
Non-text Content (alt text) Screen readers can't describe images without alt text — 1 billion+ people with disabilities rely on this Info & Relationships (semantic structure) Proper HTML structure lets assistive technology understand page layout Use of Color Information conveyed only by color is invisible to colorblind users (8% of men) Contrast Minimum (4.5:1 ratio) Low contrast text is unreadable for users with low vision or in bright sunlight Resize Text (200% zoom) Users with low vision need to zoom — content must remain usable at 200% Reflow (320px width) Content must work at 320px width without horizontal scrolling — mobile and zoom users Non-text Contrast (UI components) Buttons, inputs, and icons need sufficient contrast to be visible Bypass Blocks (skip navigation) Keyboard users need a way to skip past repeated nav — saves hundreds of tab presses Headings and Labels Proper heading hierarchy lets screen reader users navigate by section Language of Page Screen readers need the page language to pronounce text correctly Name, Role, Value (ARIA) Interactive elements must have accessible names — otherwise invisible to assistive tech Status Messages Dynamic updates (toasts, alerts) must be announced to screen readers via ARIA live regions
SEO 11 checks
SEO Fundamentals
Meta Description The snippet shown in Google results — missing or poor descriptions reduce click-through rates Document Title The most important on-page SEO element — appears in search results and browser tabs HTTP Status Code Non-200 status codes tell search engines your page has problems Descriptive Link Text 'Click here' tells search engines nothing — descriptive text improves ranking signals Crawlable Links Links that search engines can't follow mean pages won't be discovered or indexed robots.txt Valid Invalid robots.txt can accidentally block search engines from your entire site hreflang Tells search engines which language version to show users in different countries Canonical URL Prevents duplicate content penalties — tells Google which version of a page is authoritative Image Alt Text Helps images appear in Google Image search — additional traffic source Font Size Legible Text smaller than 12px is flagged by Google as a mobile usability issue — affects mobile ranking Tap Targets Sized Touch targets smaller than 48x48px are hard to tap — Google penalizes this in mobile search