Avoids Application Cache

Application Cache is deprecated. Learn more.

appcache-manifest
best-practices

Uses HTTPS

All sites should be protected with HTTPS, even ones that don't handle sensitive data. HTTPS prevents intruders from tampering with or passively listening in on the communications between your app and your users, and is a prerequisite for HTTP/2 and many new web platform APIs. Learn more.

is-on-https
best-practices

Uses HTTP/2 for its own resources

HTTP/2 offers many benefits over HTTP/1.1, including binary headers, multiplexing, and server push. Learn more.

uses-http2
best-practices

Uses passive listeners to improve scrolling performance

Consider marking your touch and wheel event listeners as passive to improve your page's scroll performance. Learn more.

uses-passive-event-listeners
best-practices

Avoids document.write()

For users on slow connections, external scripts dynamically injected via document.write() can delay page load by tens of seconds. Learn more.

no-document-write
best-practices

Links to cross-origin destinations are safe

Add rel="noopener" or rel="noreferrer" to any external links to improve performance and prevent security vulnerabilities. Learn more.

external-anchors-use-rel-noopener
best-practices

Avoids requesting the geolocation permission on page load

Users are mistrustful of or confused by sites that request their location without context. Consider tying the request to user gestures instead. Learn more.

geolocation-on-start
best-practices

Page has the HTML doctype

Specifying a doctype prevents the browser from switching to quirks-mode. Read more on the MDN Web Docs page

doctype
best-practices

Avoids front-end JavaScript libraries with known security vulnerabilities

Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.

no-vulnerable-libraries
best-practices

Detected JavaScript libraries

All front-end JavaScript libraries detected on the page.

js-libraries
best-practices

Avoids requesting the notification permission on page load

Users are mistrustful of or confused by sites that request to send notifications without context. Consider tying the request to user gestures instead. Learn more.

notification-on-start
best-practices

Avoids deprecated APIs

Deprecated APIs will eventually be removed from the browser. Learn more.

deprecations
best-practices

Allows users to paste into password fields

Preventing password pasting undermines good security policy. Learn more.

password-inputs-can-be-pasted-into
best-practices

No browser errors logged to the console

Errors logged to the console indicate unresolved problems. They can come from network request failures and other browser concerns.

errors-in-console
best-practices

Displays images with correct aspect ratio

Image display dimensions should match natural aspect ratio. Learn more.

image-aspect-ratio
best-practices
Best Practices
100  / 100