Avoids Application Cache

Application Cache is deprecated. Learn more.

Uses HTTPS

All sites should be protected with HTTPS, even ones that don't handle sensitive data. HTTPS prevents intruders from tampering with or passively listening in on the communications between your app and your users, and is a prerequisite for HTTP/2 and many new web platform APIs. Learn more.

Uses HTTP/2 for its own resources

HTTP/2 offers many benefits over HTTP/1.1, including binary headers, multiplexing, and server push. Learn more.

Uses passive listeners to improve scrolling performance

Consider marking your touch and wheel event listeners as passive to improve your page's scroll performance. Learn more.

Avoids document.write()

For users on slow connections, external scripts dynamically injected via document.write() can delay page load by tens of seconds. Learn more.

Links to cross-origin destinations are safe

Add rel="noopener" or rel="noreferrer" to any external links to improve performance and prevent security vulnerabilities. Learn more.

Avoids requesting the geolocation permission on page load

Users are mistrustful of or confused by sites that request their location without context. Consider tying the request to user gestures instead. Learn more.

Page has the HTML doctype

Specifying a doctype prevents the browser from switching to quirks-mode. Read more on the MDN Web Docs page

Avoids front-end JavaScript libraries with known security vulnerabilities

Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.

Detected JavaScript libraries

All front-end JavaScript libraries detected on the page.

Avoids requesting the notification permission on page load

Users are mistrustful of or confused by sites that request to send notifications without context. Consider tying the request to user gestures instead. Learn more.

Avoids deprecated APIs

Deprecated APIs will eventually be removed from the browser. Learn more.

Allows users to paste into password fields

Preventing password pasting undermines good security policy. Learn more.

No browser errors logged to the console

Errors logged to the console indicate unresolved problems. They can come from network request failures and other browser concerns.

Displays images with correct aspect ratio

Image display dimensions should match natural aspect ratio. Learn more.

Best Practices
100  / 100