Quality and Performance report

http://cienkusz.com.pl
Report generated on May 10, 2018 10:15:33 AM
Download report
SIMULATED VISITOR: Chrome Washington DC 10.0/2.0Mbps (Latency: 28 ms) Edit

Requests

22

Weight

535kB

HTML CSS Scripts Images Others
Timeline / Waterfall

First Byte

0.91sec

Start Render

2.03sec

Fully loaded

3.13sec


Browser warnings 0OK
HTTP/2 Ready: 14%
Speed Index: 2909

Technologies :

Apache

Google Font API

Lightbox

PHP

jQuery


Share this report by email

Feel free to share this report with your collaborators, by copying the URL from the address bar,
or by clicking below:

Share the report

Tips and best practices:

Things to improve

Data amount 

0/100

Enable compression

Compressing resources with gzip or deflate can reduce the number of bytes sent over the network.

Enable compression for the following resources to reduce their transfer size by 86.7KiB (68% reduction).

This page is delivered by an Apache server. Check if it uses the mod_deflate module.


 
Read more
Data amount 

0/100

Optimize your images

Properly formatting and compressing images can save many bytes of data.

Optimize the following images to reduce their size by 94.4KiB (32% reduction).

Images may contain data unnecessary for their use on the web. This data can increase their size significantly. Some tools automatically remove this unnecessary data without loss of quality and thus reduce your image sizes.

We recommend removing unnecessary image data using a tool such as jpegtran (JPEG files), OptiPNG (PNG files) or ImageRecycle.


 
Read more
Cache policy 

0/100

16 of your requests don't define a cache policy with Apache

The Expires header is essential for an efficient caching policy. It will significantly impact on the loading time for returning visitor.

The Expires header explained

You can set an expiration date for each resource: as long as the date is not exceeded, the browser stores and uses the resource in cache.

The expiry date of resources is set using the Expires HTTP header:

Expires: Thu, 25 Dec 2014 20:00:00 GMT

You can set a far expiry date for static resources (1 year maximum), and a closer date for resources that change more frequently (at least 48 hours).

When you deploy a new version of your website, remember to rename static resources that have been modified. If you do not change their names, your users will keep resources corresponding to the old versions stored in their caches, and they may find themselves on an unstable version of your page. For example:

myresource.min.20140101.js

See the Yahoo! guidelines on this subject.

What should I do?

This page is delivered by an Apache server. Check if it uses the mod_expires module. Here's an example of configuration, to adapt to your needs (in your .htaccess file, for example):

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
</IfModule>

This page contains 16 resources without expiry date:


 
Read more
Browser rendering 

0/100

1 critical dependency detected

The failure of a third-party content provider could bring an overall breakdown of your website.

Single Point Of Failure

A Frontend Single Point Of Failure (SPOF) is a critical dependency on a third-party content, that may block the entire display of your page in case of failure of the content provider.

As an example, if your web page uses a blocking script hosted by Google’s servers, then your page is reliant on any failure from this script. Please read our blog post dedicated to SPOF for more information.

How to avoid SPOF?

As far as possible, exclude any of these dependencies, even from renowned providers. If you have to use a third-party content, ensure that you choosed an asynchronous integration and that you have a fallback in case of problem.


We are checking if the tested web page depends (in a critical way) on some of most widespread external resources (googleapis, typekit,...). That are known as Frontend SPOF (Single Point Of Failure) cases.

This resource represents a SPOF for this page:


 
Read more
jQuery 

0/100

Consider using jQuery 1.12

You webpage uses jQuery 1.7.2. You should migrate to the latest version of the 1.x branch: jQuery 1.12, that contains several bug and security fixes.

Should I migrate to the last version of jQuery ?

Migrating from a 1. x version of jQuery to the latest version (3.x) can have many unintended impacts and means losing compatibility with older browsers. You should only consider abandoning jQuery 1.x as a part of a complete overhaul of your Front-End infrastructure. As you reflect on it, you will surely discover that you might not need jQuery.


 
Read more
Number of requests 

0/100

1 redirect required 312 millisecondes

The redirects trigger avoidable roundtrips on the network and increase the page loading time.

HTTP redirects

The HTTP redirects allow to specify that the desired content is accessible from a different URL. They trigger a new HTTP request to retrieve the target resource and return a HTTP code between 300 and 399. See the specifications of HTTP redirects.

How to solve the issue ?

Allow the user to directly access your content without redirects, or determine and improve what causes these excessive loading times on your redirects. See recommendations from Google.


1 redirect was too long to access the right content:


 
Read more
Cache policy 

38/100

Specify a 'Vary: Accept-Encoding' header

The following publicly cacheable, compressible resources should have a "Vary: Accept-Encoding" header:

The Vary: Accept-Encoding header allows to cache two versions of the resource on proxies: one compressed, and one uncompressed. So, the clients who cannot properly decompress the files are able to access your page via a proxy, using the uncompressed version. The other users will get the compressed version.


 
Read more
Security 

0/100

The Content Security Policy is missing

It is critical to restrict the origin of the contents of your webpage to protect your website from cross-site scripting attacks (XSS).

XSS attacks explained

An XSS attack aims to inject content into a page.

You can protect your pages against these attacks by implementing a content security policy that tells the web browser which servers are allowed to deliver resources on each page. If the browser makes a request to an unauthorized server, it must inform the user.

How can I prevent an XSS attack?

Set up a "Content-Security-Policy" (CSP) HTTP header. To specify a security policy on the source of your resources, configure your server so the response of the first resource contains the "Content-Security-Policy" HTTP header.

Here's an example:

Content-Security-Policy: script-src 'self' https://apis.google.com

In this case, the page loads correctly provided that all the scripts come from the current host or https://apis.google.com.

Read more about the CSP HTTP header. You can also look at the CSP directives.

Please, be careful, if the header is misconfigured, some of your content, scripts, or styles may be blocked. That could cause unwanted side effects. Moreover, the restrictions apply to all pages of the website. We recommend you test the different pages of your website before deploying this header in your production environment.

Apache logo CSP can be configured with your Apache server. Make sure that the mod_headers module is enabled. Then, you can specify your content security policy (in your .htaccess file, for example). Here is an example :

<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' https://www.google.com"
</IfModule>

This example allows scripts from the same origin (same scheme, host and port) and google.com.


No Content Security Policy on this page: it is more easily exposed to XSS attacks.


 
Read more
Accessibility 

0/100

Set a lang for your page

Your page should define a lang attribute on the html root node: this will allow screen readers to correctly understand your website.


 
Read less
Browser rendering 

50/100

Defer parsing of JavaScript

JavaScript can significantly slow down a page display, especially if it is necessary to download an external script.

Defer the use of JavaScript as much as possible to provide a faster start for the page display.

How can I fix this?

Use one of the methods below to defer parsing for external JavaScript files:

  • use the async attribute;
  • use the defer attribute;
  • append the script to the DOM in JavaScript during the onload event;
  • make sure your scripts are placed at the bottom of the page (ideally at the end of the body).

85.2KiB of JavaScript is parsed during initial page load. Defer parsing JavaScript to reduce blocking of page rendering.


 
Read more
Browser rendering 

0/100

Specify a character set

The following resources have no character set specified in their HTTP headers. Specifying a character set in HTTP headers can speed up browser rendering.

Specify the character set used in the Content-Type HTTP header allows the browser to parse immediately the page.


 
Read more
Security 

0/100

1 cookie is not secure

A cookie sent from the server to a web browser via the HTTPs protocol should only transit on a secure connection (except for some specific cases).

HTTP cookies

HTTP cookies are set by the server to the web browser via the Set-Cookie HTTP header. Then, the browser transmits the cookies to the server for the next requests by using the Cookie HTTP header. When the server uses a secure connection (HTTPs), the cookie probably contains some sensitive data: you have to garantee that the cookie cannot be exploited on an insecure connection.

The Secure directive

By adding the Secure instruction in the Set-Cookie HTTP header, the server informs the browser that it is allowed to transmit the cookie over secure connection only. Read this blog post to learn more.

Caution: Ensure that the HTTP to HTTPS redirect is activated on your website. Otherwise, the Secure cookie may not be sent on HTTP request.

Apache logo The Set-Cookie HTTP header can be configured with your Apache server. Make sure that the mod_headers module is enabled. Then, you can specify the header (in your .htaccess file, for example). Here is an example:

<IfModule mod_headers.c>
# only for Apache > 2.2.4:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# lower versions:
Header set Set-Cookie HttpOnly;Secure
</IfModule>

The following Cookies are not secure, you should add the Secure instruction in the Set-Cookie HTTP header:

https://cienkusz.com.pl/

  • Set-Cookie: PHPSESSID=8e3b5149a70034c988c581be198e9269; path=/


 
Read more
Security 

0/100

This page is exposed to "clickjacking" type attacks

Keep malicious people from integrating your pages into their websites.

Clickjacking explained

This kind of attack happens when your page gets integrated with a malicious website via <frame> or <iframe> tags. By doing this, attackers can persuade users that they are on your own page when they are not. The unsuspecting user may enter personal information that is visible on and thus vulnerable to the malicious website.

To avoid this, always indicate which domains have permission to integrate your pages.

How to prevent clickjacking?

Configure a "X-Frame-Options" HTTP header. Configure your server so the main resource response includes the "X-Frame-Options" HTTP header.

Three values may be defined:

  • DENY to prevent any frame or iframe from integrating the page;
  • SAMEORIGIN to authorize only frames from the same domain name;
  • ALLOW-FROM uri to indicate the domains allowed to integrate a page into frame (however is not compatible with some browsers)
  • Apache logo The "X-Frame-Options" HTTP header can be configured with your Apache server. Make sure that the mod_headers module is enabled. Then, you can specify the header (in your .htaccess file, for example). Here is an example:

    <IfModule mod_headers.c>
    Header always set X-FRAME-OPTIONS "DENY"
    </IfModule>

    The "X-Frame-Options" HTTP header is not configured on this page; you are more likely to be exposed to clickjacking.


     
    Read more
    SEO 

    0/100

    robots.txt file should be defined

    Indicate to web crawlers which URLs should be explored on your website.

    The robots.txt file

    Place your robots.txt file in the root of the website. It will be interpreted by the robots in charge of your SEO. It delivers instructions to specify the pages to explore by robots, like Google bot.

    Note that these directives are indicative only. A lambda robot will not be blocked by the restrictions specified by the file.

    We have not detected the robots.txt file on this website, you should define one:


     
    Read more
    Security 

    0/100

    Block access to the entire page when an XSS attack is suspected

    Make sure that the user’s browser does all it can to prevent an XSS-type attack.

    XSS attacks

    An XSS-type attack (XSS stands for Cross-Site Scripting) aims at injecting content into the page.

    Recent browsers have an integrated protection against XSS attacks. However, this protection can be disabled. To prevent any harm to the user, we recommend that you force the activation of the XSS Protection, and should an XSS attack be detected, block access to any of the page content.

    Solution: configure an "X-XSS-Protection" HTTP header

    Add the "X-XSS-Protection" HTTP header with "1; mode=block" as value (1 to indicate the activation, and mode=block to indicate that the entire page must be blocked if a problem occurs).

    Apache logo The "X-XSS-Protection" HTTP header can be configured with your Apache server. Make sure that the mod_headers module is enabled. Then, you can specify the header (in your .htaccess file, for example). Here is an example:

    <IfModule mod_headers.c>
    Header always set X-XSS-Protection "1; mode=block"
    </IfModule>

    The XSS protection is disabled on this page.


     
    Read more
    Quality 

    0/100

    Provide a favicon

    No favicon found on this page. You should put one in your head tag as shown below:

    <link rel="icon" type="image/png" href="/path/favicon.png" />
    <!--[if IE]><link rel="shortcut icon" type="image/x-icon" href="/path/favicon.ico" /><![endif]-->

    Favicon is a small image providing an icon to a website. It's located in the root of your server and the browser will always request it. It is better not to respond with a 404 HTTP code (not found).

    Moreover, this file will be asked on every requested web page, so make it cachable: the client will request it only once. See more information.


     
    Read more
    Accessibility 

    0/100

    Specify a consistent label on your links

    A link is more attractive if the text describes what is behind it. You can also take the opportunity to use keywords in these texts, to improve your page's SEO.

    Describe the link in your <a> tag, rather than indicating the link itself. Example: <a href="http://mylink.com/">My description</a>

    The contents of the following links are not relevant:

    • <a href="oferta" class="link_menu">oferta</a>
    • <a href="realizacje" class="link_menu">realizacje</a>


     
    Read more

    Did you know?

    Quality 

    No HTML code is commented

    Comments allow you to detail a portion of code and help you navigate more efficiently in the DOM. However, make sure no sensitive information is exposed in your comments.

    Well done, none of your comments contains HTML code.


     
    Read more
    Accessibility 

    No <noscript> tag is detected

    When a web page uses scripts, it is advised to set at least one noscript tag. It is required to display a message when JavaScript is disabled by the user.

    <script  type="text/javascript">
    document.write('Hello World!')
    </script>
    <noscript>Your browser does not support JavaScript!</noscript>


     
    Read more
    jQuery 

    More informations about jQuery performance

    jQuery is the most used JavaScript library. Upgrade your website performance respecting the jQuery best practices. We recommend that you learn the basics of the jQuery performance, reading the following link: http://learn.jquery.com/performance/.


     
    Read more
    Security 

    SSL Certificate

    Your SSL certificate will expire on 08/07/2018. Update your certificate before that date.

    What happens if my certificate expires?

    Letting a certificate expire can have consequences for end users who will then see many error or alert messages while browsing the site, warning them of possible frauds, identity thefts or traffic interceptions. These alerts can have a very negative impact on the user's perception of the visited domain.


     
    Read more
    Data amount 

    This page does not load too much data (535kB)

    A too high page weight slows down the display, especially on low speed connections. This can lead to frustration for users paying for data (see whatdoesmysitecost.com).

    Evaluate the Weight of my Web Page

    In February 2016, the average weight of 100 most visited websites in the world was 1,38MB.

    How to reduce the weight of my page?

    You can report to our "Data amount" category to discover the possible optimizations in your case. Images are often involved.
    Moreover, make sure to build your web pages in order to load data that is essential to the user experience (rendering optimization of the critical path).
    For other contents (social networking plugins, advertising, content at the bottom of the page ...), it is better to delay the loading (asynchronous, lazy-loading ...), so they don't override priority contents.

    We strongly recommend that you define performance budgets before you carry out your web projects. These budgets can be settled through the DareBoost monitoring feature.


    We have established the weight distribution of the page by resource type:

    • Images : 59,99% of total weight
    • JavaScript : 18,55% of total weight
    • Font : 15,16% of total weight
    • CSS : 3,41% of total weight
    • Texts : 2,89% of total weight

    Here is the weight of the 10 heaviest resources over the network, and that are necessary to load the page:


     
    Read more

    This page contains 24 links

    Two kind of links exist:

    • Internal links that refer to pages with the same domain name;
    • External links that point to other websites (must be relevant and point towards quality content).

    If you reference many links, you can ask the SEO crawlers to consider only some of them, by adding the rel=nofollow attribute to the irrelevant ones (e.g., advertisements).

    Here is the distribution of 24 links present in the page:

    • 22 internal links (91,67%)
    • 2 "follow" external links (8,33%)
    • No "nofollow" external link (0,00%)


     
    Read more

    Well done, these best practices are respected

    SEO 

    100/100

    Your <img> tags use an alt attribute

    Moreover, the alt attribute is also an important criterion for SEO. Indeed, search engines crawlers cannot parse graphic contents. That is why they use the alternative text to return consistent results, like in Google images.

    <img src="product.jpg" alt="My product description"/>

    The alt attribute is used in several cases unrelated to SEO:

    • When a screen reader is in use for accessibility purposes;
    • While image is loading, particularly for slow connections;
    • When the image file is not found.

    You have 4 img tags and they all have the alt attribute.

    If nothing seems appropriate for describing an image, you might set an empty text. We advise you to make sure the majority of your images define a relevant text. Read the W3C recommendations here.


     
    Read more
    Cache policy 

    100/100

    You do not use too long inline scripts

    Any script with a significant size should let the browser cached them in order to reduce loading time/improve performance of your returning visitor.

    Inline scripts / cache policy

    "inline" scripts allow to integrate easily small portions of scripts directly in the HTML code. Example:

    <script type="text/javascript">
        (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']...,'/analytics.js','ga');
        ga('create', 'UA-11111111-1', 'mywebsite.com');
    </script>

    By doing so, you avoid making a request to the server to retrieve the resource. So inline scripts represent a performance gain if you want to integrate small scripts.

    However, once a script has a fairly substantial size, we advise you to outsource it and perform a request to retrieve it. So you will benefit from the cache mechanism.

    What should I do?

    Outsource your scripts with more than 1500 characters in one or more separate files.


     
    Read more
    SEO 

    100/100

    This page defines <h1> and <h2> tags

    We recommend putting page keywords in at least the h1 and h2 tags. Search engines use the h1, h2, and h3 tags for SEO purposes.
    This page contains:

    • 1 <h1> element(s)
    • 1 <h2> element(s)
    • 1 <h3> element(s)


     
    Read more
    Apache 

    100/100

    Your Apache server version is not exposed

    You are using Apache, but we are not able to detect the version. It is more difficult for a hacker to attack your website, because he does not know the version you use. This is a good practice.

    There are two values to check if you want to hide your server version: the ServerSignature and the ServerTokens (/etc/apache2/conf.d/security file on a Linux server).

    # Hide the version from the 'Server' HTTP Header.
    # (e.g.): display only "Server: Apache"
    ServerTokens Prod
    # Don't add a trailing footer line under server-generated document,
    # containing the server name and its version.
    ServerSignature Off

    However, keep in mind that the best way to protect your system from attacks is to regularly update your Apache server.


     
    Read more
    SEO 

    100/100

    You have defined a <meta> 'description'

    The page should define a unique description.

    Description in search engines

    The description of the page may be directly displayed in search engine results pages (SERP):

    It allows you to control at best the entry preview in search engines, and to improve the click rate to your page. Learn more.

    How to define a page's description?

    Use <meta name="description" content="page description"> and place it in the <head> tag.

    This page defines one <meta> description:

    Zakład Szklarski Jerzy Cienkusz Warszawa oferuje profesjonalne wyroby ze szkła do Twojego domu. W naszej ofercie: drzwi szklane, lustra, panele szklane.


     
    Read more
    SEO 

    100/100

    This page uses only standard image formats

    The images that use a non-standard format may not be indexed by search engines.

    Only these image formats are considered standard on the web: jpeg, jpg, png, gif, svg, ico, webp. You should consider an alternative to any other format.

    Moreover, remember to treat the text around your images: some search engines analyze approximately the 10 words preceding and following the image in order to add a context to the image.


     
    Read more