The performance of your web pages can be the difference between making a sale and losing one. The longer it takes for your web pages to become interactive or to release CPU resources to allow the user to perform actions, the more likely they are to navigate away from your site to visit a competitor. We will make the following checks for each of your top 100 pages on Google Search and provide a weighted overall performance score for both mobile and desktop devices, with a minimum score of 90% for a pass:

• First Contentful Paint
• Speed Index
• Time to Interactive
• First Meaningful Paint
• First CPU Idle
• Max Potential First Input Delay
• Defer offscreen images
• Serve images in next-gen formats
• Remove unused CSS
• Eliminate render-blocking resources
• Minify CSS
• Preconnect to required origins
• Minify JavaScript
• Properly size images
• Serve static assets with an efficient cache policy
• Ensure text remains visible during Webfont load
• Avoid enormous network payloads
• Minimise main-thread work
• Reduce JavaScript execution time
• Avoid chaining critical requests
• Keep request counts low and transfer sizes small
• Efficiently encode images
• Enable text compression
• Server response times are low (TTFB)
• Avoid multiple page redirects
• Preload key requests
• Use video formats for animated content
• Avoids an excessive DOM size
• User Timing marks and measures
• Minimise third-party usage

Getting the basics right is essential for SEO. Ensuring your web page displays appropriately on mobile devices, has appropriate and relevant metadata, is legible on all devices and has appropriately sized tap targets will make sure you are not penalised in search results. We will conduct the following checks for each of your top 100 pages on Google Search, with a minimum of 90% for a pass:

• Has a <meta name=”viewport”> tag with width or initial-scale
• The document has a <title> element
• The document has a meta description
• The page has successful HTTP status code
• Links have descriptive text
• The page isn’t blocked from indexing
  robots.txt is valid
• Image elements have [alt] attributes
• The document has a valid hreflang
• The document has a valid rel=canonical
• The document uses legible font sizes
• The document avoids plugins

Following best practices not only provides page performance and SEO benefits but also makes sure your user experience is secure and consistent. We check that your page uses HTTP/2 for its internal resources, uses passive listeners to improve scrolling performance, avoids requesting geolocation or notification permissions on page load, displays images with the correct aspect ratio, doesn’t use insecure JavaScript libraries and doesn’t request resources from non-HTTPS locations. We make the following checks for each of your top 100 pages on Google Search, with a minimum of 90% for a pass:

• Does not use HTTPS
• Links to cross-origin destinations are unsafe
• Includes front-end JavaScript libraries with known security vulnerabilities
• Browser errors were logged to the console
• Avoids Application Cache
• Uses HTTP/2 for its own resources
• Uses passive listeners to improve scrolling performance
• Avoids document.write()
• Avoids requesting the geolocation permission on page load
• The page has the HTML doctype
• Detected JavaScript libraries
• Avoids requesting the notification permission on page load
• Avoids deprecated APIs
• Allows users to paste into password fields
• Displays images with the correct aspect ratio

Your customers access your website using a wide variety of devices and web browsers. It is important to make sure that your website works just as well for every user.

HTML
It is important to make sure that your HTML syntax is correct to ensure that all web browsers can correctly
interpret your web pages. We check the HTML syntax of your 10 top Google Search results and let you know how many errors and warnings exist across them.

CSS
It is important to make sure that your CSS syntax is correct to ensure that all web browsers can correctly
interpret your web pages. We check the CSS syntax of the stylesheets referred to in your 100 top Google
Search results and let you know how many errors and warnings exist across them. We will only validate those
stylesheets referenced with relative URLs, to avoid checking external resources.

JavaScript
Your JavaScript syntax is just as important as your HTML and CSS syntax. However, it’s also important to follow the best practices and recommendations provided by ECMAScript linting tools, to ensure that your JavaScript not only works predictably but also works on all modern browsers, performs well and doesn’t use any deprecated or retired syntax. We check the JavaScript files referred to in your top 100 Google Search results and let you know how many errors and warnings exist across them. We will only validate those scripts referenced with relative URLs, to avoid checking external resources.

Your website’s user experience is the most critical element for customer engagement. Google collect anonymised data for most public websites. We analyse this to provide Google’s real-world scoring of your user experience.

Ensuring your website is accessible to users with disabilities is not just about morals or ethics – it is a legal requirement for most websites. UK firms are subject to the DDA and SENDA, EU firms must follow the Web Accessibility Directive if they provide products or services to public bodies and US firms must follow dozens of accessibility laws. We make the following checks for each of your top 100 pages on Google Search, with a minimum of 90% for a pass:

• [role]s are not contained by their required parent element
• Background and foreground colours do not have a sufficient contrast ratio
• [id] attributes on the page are not unique
• <frame> or <iframe> elements do not have a title
• Links do not have a discernible name
• Lists do not contain only <li> elements and script supporting elements (<script> and <template>)
• [aria-*] attributes match their roles
• [role]s have all required [aria-*] attributes
• Elements with an ARIA [role] that require children to contain a specific [role] have all required children
• role] values are valid
• [aria-*] attributes have valid values
• [aria-*] attributes are valid and not misspelt
• The page contains a heading, skip link, or landmark region
• Document has a <title> element
• <html> element has a [lang] attribute
•  <html> element has a valid value for its [lang] attribute
• Image elements have [alt] attributes
• List items (<li>) are contained within <ul> or <ol> parent elements
• [user-scalable=”no”] is not used in the <metaname=”viewport”> element and the [maximumscale] attribute is not less than 5
• [accesskey] values are unique
• <audio> elements contain a <track> element with [kind=”captions”]
• <audio> elements contain a <track> element with [kind=”captions”]
• Buttons have an accessible name
• <dl>’s contain only properly-ordered <dt> and <dd> groups, <script> or <template> elements
• Definition list items are wrapped in <dl> elements
•  <input type=”image”> elements have [alt] text
• Form elements have associated labels
• Presentational <table> elements avoid using <th>, <caption> or the [summary] attribute.
• The document does not use <meta httpequiv=”refresh”>
• <object> elements have [alt] text
• No element has a [tabindex] value greater than 0
• Cells in a <table> element that use the [headers]attribute refer to table cells within the same table.
• <th> elements and elements with
  [role=”columnheader”/”rowheader”] have data cells they describe
• [lang] attributes have a valid value
• <video> elements contain a <track> element with [kind=”captions”]
• <video> elements contain a <track> element with [kind=”description”]

An unsecure website is, at worst, an open back door into your business’ systems and, at best, exposesyou to liability from your customers who could lose money.

Default Hybris Usernames and Passwords
The worst – and yet one of the most common – security flaw in a Hybris deployment is leaving a default username and password combination active on a publicly accessible URL. We check the five most important URLs and will let you know how many of these allow login with a default administrative username and password combination.

Hybris Extension URLs
The Hybris go-live checklist states that certain URLs should not be accessible via your public URL. However, many Hybris deployments miss one or more of these. That can leave your web application vulnerable to a variety of attacks and a highly knowledgeable attacker could cause untold damage with even unauthenticated access to these. We scan 130 common URLs to ensure your site correctly returns a 4xx or 5xx HTTP response code for each one.

HTTP Security Headers
Setting a few simple HTTP security headers can allow modern browsers to lock out many common vulnerabilities in web applications. We scan for these seven headers and provide you with an overall grade, with a minimum “C” grade required for a pass.

TLS Security
It is not enough to redirect HTTP requests to HTTPS and have a valid SSL certificate. Many vulnerabilities in the SSL/TLS protocols have been discovered over the past few years and it’s important to make sure you’re using the correct protocol versions, cipher suites, software versions and settings to make sure you’re not vulnerable to any known vulnerabilities. We scan for all of these – around 300 separate checks – and provide you with an overall grade, with a minimum “A” for a pass.

Web Application Security
We will scan your website for the 50 most common web application vulnerabilities and let you know how many the scan suspects your website may be vulnerable to.

We can optionally check your website’s compatibility with the Progressive Web App standards to ensure that your website performs just as well on mobile devices as a native app and provide you with a weighted overall score.

We make the following checks for each of your top 100 pages on Google Search, with a minimum of 90% for a pass.

• Fast and reliable
• Current page does not respond with a 200 when offline
• start_url does not respond with a 200 when offline
• Does not use HTTPS
• Does not register a service worker that controls page and start_url
• Web app manifest does not meet the installability requirements
• Redirects HTTP traffic to HTTPS
• Is not configured for a custom splash screen
• Does not set a theme colour for the address bar
• Content is sized correctly for the viewport
• Has a <meta name=”viewport”> tag with width or initial-scale
• Contains some content when JavaScript is not available
• Does not provide a valid apple-touch-icon