Quality and Performance report
https://jualthorhammerasli.com/Report generated on May 22, 2018 8:39:41 AM
Requests
Weight
Technologies :
Share this report by email
Feel free to share this report with your collaborators, by copying the URL from the address bar,
or by clicking below:
Share the report
Tips and best practices:
Google Analytics
jQuery
Things to improve
5 of your requests don't define a cache policy with WordPress
The Expires header is essential for an efficient caching policy. It will significantly impact on the loading time for returning visitor.
The Expires header explained
You can set an expiration date for each resource: as long as the date is not exceeded, the browser stores and uses the resource in cache.
The expiry date of resources is set using the Expires HTTP header:
Expires: Thu, 25 Dec 2014 20:00:00 GMT
You can set a far expiry date for static resources (1 year maximum), and a closer date for resources that change more frequently (at least 48 hours).
When you deploy a new version of your website, remember to rename static resources that have been modified. If you do not change their names, your users will keep resources corresponding to the old versions stored in their caches, and they may find themselves on an unstable version of your page. For example:
myresource.min.20140101.js
See the Yahoo! guidelines on this subject.
What should I do?
Several great plugins are available for WordPress to handle the cache mechanism. You can consider especially the popular WP Rocket or W3 Total Cache plugins. Otherwise, you can configure the cache policy with the web server you use.This page contains 5 resources without expiry date:
Optimize your images with WordPress
Properly formatting and compressing images can save many bytes of data.
Optimize the following images to reduce their size by 31.5KiB (28% reduction).
- Losslessly compressing jualthorhammerasli[...].jpg could save 27.5KiB (43% reduction).
- Losslessly compressing jualthorhammerasli[...].png could save 2.3KiB (36% reduction).
- Losslessly compressing jualthorhammerasli[...].png could save 1.7KiB (5% reduction).
You can consider for example EWWW Image Optimizer or Imagify.
Defer parsing of JavaScript
JavaScript can significantly slow down a page display, especially if it is necessary to download an external script.
Defer the use of JavaScript as much as possible to provide a faster start for the page display.
How can I fix this?
Use one of the methods below to defer parsing for external JavaScript files:
- use the async attribute;
- use the defer attribute;
- append the script to the DOM in JavaScript during the onload event;
- make sure your scripts are placed at the bottom of the page (ideally at the end of the body).
96.7KiB of JavaScript is parsed during initial page load. Defer parsing JavaScript to reduce blocking of page rendering.
- jualthorhammerasli[...]12.4 (87.0KiB)
- jualthorhammerasli[...].4.1 (7.7KiB)
- jualthorhammerasli[...]com/ (2.0KiB of inline JavaScript)
The Content Security Policy is missing
It is critical to restrict the origin of the contents of your webpage to protect your website from cross-site scripting attacks (XSS).
XSS attacks explained
An XSS attack aims to inject content into a page.
You can protect your pages against these attacks by implementing a content security policy that tells the web browser which servers are allowed to deliver resources on each page. If the browser makes a request to an unauthorized server, it must inform the user.
How can I prevent an XSS attack?
Set up a "Content-Security-Policy" (CSP) HTTP header. To specify a security policy on the source of your resources, configure your server so the response of the first resource contains the "Content-Security-Policy" HTTP header.
Here's an example:
Content-Security-Policy: script-src 'self' https://apis.google.com
In this case, the page loads correctly provided that all the scripts come from the current host or https://apis.google.com.
Read more about the CSP HTTP header. You can also look at the CSP directives.
Please, be careful, if the header is misconfigured, some of your content, scripts, or styles may be blocked. That could cause unwanted side effects. Moreover, the restrictions apply to all pages of the website. We recommend you test the different pages of your website before deploying this header in your production environment.
No Content Security Policy on this page: it is more easily exposed to XSS attacks.
Add alt attribute on <img> tags
Moreover, the alt attribute is also an important criterion for SEO. Indeed, search engines crawlers cannot parse graphic contents. That is why they use the alternative text to return consistent results, like in Google images.
<img src="product.jpg" alt="My product description"/>
The alt attribute is used in several cases unrelated to SEO:
- When a screen reader is in use for accessibility purposes;
- While image is loading, particularly for slow connections;
- When the image file is not found.
You have 5 img tags, but the following tag does not define the alt attribute:
<img title="hammer of thor" src="https://jualthorhammerasli.com/wp-content/uploads/2017/06/jual-thor-hammer-asli.png" />
If nothing seems appropriate for describing an image, you might set an empty text. We advise you to make sure the majority of your images define a relevant text. Read the W3C recommendations here.
This page is exposed to "clickjacking" type attacks
Keep malicious people from integrating your pages into their websites.
Clickjacking explained
This kind of attack happens when your page gets integrated with a malicious website via <frame> or <iframe> tags. By doing this, attackers can persuade users that they are on your own page when they are not. The unsuspecting user may enter personal information that is visible on and thus vulnerable to the malicious website.
To avoid this, always indicate which domains have permission to integrate your pages.
How to prevent clickjacking?
Configure a "X-Frame-Options" HTTP header. Configure your server so the main resource response includes the "X-Frame-Options" HTTP header.
Three values may be defined:
DENY to prevent any frame or iframe from integrating the page;SAMEORIGIN to authorize only frames from the same domain name;ALLOW-FROM uri to indicate the domains allowed to integrate a page into frame (however is not compatible with some browsers)The "X-Frame-Options" HTTP header is not configured on this page; you are more likely to be exposed to clickjacking.
Avoid http-equiv <meta> tags
HTTP headers are more efficient than the http-equiv meta tags.
The <meta http-equiv=""/> tags
The http-equiv meta tags allow to communicate to the web browser information equivalent to the ones of HTTP headers. For example, the meta <meta http-equiv="content-type"/> will have the same consequences than the HTTP Content-Type header.
Two points don’t stimulate the use of http-equiv meta tags:
- Going through the meta requires to interpret the beginning of the HTML page, which is slower than going through the HTTP headers in terms of performance
- If the HTTP header is already present, the meta is ignored
In which cases are the <meta http-equiv=""/> useful?
Only one case can justify the presence of these meta tags: if you don’t have access to the configuration of your server, and that is to say to the HTTP headers.
However, we advice you to use a configurable server so that you can establish the most efficient site possible.
This page contains 1 http-equiv meta tag. If possible, you should replace it:
- X-UA-Compatible
Block access to the entire page when an XSS attack is suspected
Make sure that the user’s browser does all it can to prevent an XSS-type attack.
XSS attacks
An XSS-type attack (XSS stands for Cross-Site Scripting) aims at injecting content into the page.
Recent browsers have an integrated protection against XSS attacks. However, this protection can be disabled. To prevent any harm to the user, we recommend that you force the activation of the XSS Protection, and should an XSS attack be detected, block access to any of the page content.
Solution: configure an "X-XSS-Protection" HTTP header
Add the "X-XSS-Protection" HTTP header with "1; mode=block" as value (1 to indicate the activation, and mode=block to indicate that the entire page must be blocked if a problem occurs).
The XSS protection is disabled on this page.
The !important declaration is used 11 times
If you abuse of this declaration, you should consider a review of your CSS code. We tolerate 10 occurrences of the !important declaration before penalizing your score. Here are the !important detected: https://jualthorhammerasli.com/ (inline 0) https://jualthorhammerasli.com/ (inline 2) img.wp-smiley, img.emoji {display: inline !important} (line 4, col 2)img.wp-smiley, img.emoji {border: none !important} (line 5, col 2)img.wp-smiley, img.emoji {box-shadow: none !important} (line 6, col 2)img.wp-smiley, img.emoji {height: 1em !important} (line 7, col 2)img.wp-smiley, img.emoji {width: 1em !important} (line 8, col 2)img.wp-smiley, img.emoji {margin: 0 .07em !important} (line 9, col 2)img.wp-smiley, img.emoji {vertical-align: -0.1em !important} (line 10, col 2)img.wp-smiley, img.emoji {background: none !important} (line 11, col 2)img.wp-smiley, img.emoji {padding: 0 !important} (line 12, col 2).navbar-default .navbar-nav > .active > a, .navbar-default .... (line 23, col 17).navbar-default .navbar-nav > .active > a, .navbar-default .... (line 24, col 17)
Disable the auto detection of resource type
Protect yourself from malicious exploitation via MIME sniffing.
MIME-Type sniffing explained
Internet Explorer and Chrome browsers have a feature called "MIME-Type sniffing" that automatically detects a web resource's type. This means, for example, that a resource identified as an image can be read as a script if its content is a script.
This property allows a malicious person to send a file to your website to inject malicious code. We advise you to disable the MIME-Type sniffing to limit such activity.
How to prevent MIME-Type sniffing
Configure a "X-Content-Type-Options" HTTP header. Add the "X-Content-Type-Options" HTTP header in the responses of each resource, associated to the "nosniff" value. It allows you to guard against such misinterpretations of your resources.
On this page, you should configure the following resources, that risk being misinterpreted:
- https://jualthorhammerasli.com/
- https://jualthorhammerasli.com/wp-includes/js/jquery/jquery.js?ver=1.12.4
- jualthorhammerasli.com/wp-includes/js/jquery/jqu[...]migrate.min.js?ver=1.4.1
- jualthorhammerasli.com/wp-content/themes/blogkor[...]tstrap.min.css?ver=4.9.6
- https://jualthorhammerasli.com/wp-content/themes/blogkori/style.css?ver=4.9.6
- https://jualthorhammerasli.com/wp-includes/js/wp-emoji-release.min.js?ver=4.9.6
- https://jualthorhammerasli.com/wp-includes/js/wp-embed.min.js?ver=4.9.6
- jualthorhammerasli.com/wp-content/themes/blogkor[...]otstrap.min.js?ver=3.3.2
Separate the CSS styles from the HTML tags
Separating HTML tags and CSS directives improves code readability and promotes factorization.
How to define CSS styles
CSS styles are used to format the page. You can use one of three main methods to define them:
- declare styles in a specific CSS file;
- declare "inline" styles (<style> tag in your HTML template);
- declare styles with the "style" attribute of a HTML tag.
How can I improve my page?
We recommend grouping your CSS styles in <style> tags or in separate files. That way, the HTML is only responsible for providing the structure of the page, and its layout is outsourced. The <style> attribute should only be generated by some JavaScript code (e.g., if you need to know the screen size).
This page uses 10 style attribute(s):
<div style="text-align: justify;">
<span style="color: #000000;">
<span style="color: #000000;">
<a style="color: #000000;" href="https://jualthorhammerasli.com/">
- and 6 others
Did you know?
This page contains 9 links
Two kind of links exist:
- Internal links that refer to pages with the same domain name;
- External links that point to other websites (must be relevant and point towards quality content).
If you reference many links, you can ask the SEO crawlers to consider only some of them, by adding the rel=nofollow attribute to the irrelevant ones (e.g., advertisements).
Here is the distribution of 9 links present in the page:
- 8 internal links (88,89%)
- No "follow" external link (0,00%)
- 1 "nofollow" external link (11,11%)
Do all third parties resources deliver the right content?
This page loads data from third parties, you should ensure their integrity.
SubResource Integrity (SRI)
Use SRI to ensure that a third party resource has not been tampered. Add the integrity attribute to <script> and <link> tags loading this kind of resource. Example:
<script src="https://exemple.com/exemple-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous">
</script>
The integrity attribute value is equal to the base64-encoded hash (SHA) of the resource. The browser compares this hash with the downloaded content in order to determine if the resource matches the expected content.
You can create the SHA thanks to several tool. In command line, you can use openssl. You can also test some online tools, as srihash.org or report-uri.io. Learn more about SubResource Integrity.
No HTML code is commented
Comments allow you to detail a portion of code and help you navigate more efficiently in the DOM. However, make sure no sensitive information is exposed in your comments.
Well done, none of your comments contains HTML code.
Resources distribution by domain
This page loads data from 2 domains. This best practice retrieves the following metrics for each of these domains:
- Loading Time (Cumulative): total time spent to load all the resources
- Server Time (Cumulative): total time spent to retrieve the responses from the server (TCP connection + wait for first byte)
- Weight: data amount loaded
- Number of requests
Here is the list of all the domains used by the page:
| Domain | Time (ms) | Server Time (ms) | Weight (kB) | Requests |
|---|---|---|---|---|
| jualthorhammerasli.com | 11852 | 8060 | 402 | 14 |
| www.google-analytics.com | 370 | 288 | 15 | 2 |
Do "target=_blank" links introduce a security leak on this page?
Using the target=_blank attribute is rarely recommended. Nevertheless, if you need to use this attribute, note that a security leak could cause harm to your visitors, particularly if your site is open to visitor contributions.
It allows the targeted page to manipulate the window.opener.location property, and thus to perform a redirect within the parent tab. When the user gets back to the parent tab, he can be facing a malicious website (phishing, etc).
We recommend you to add the rel=noreferrer attribute when using a target = _blank to an external website. This will block access to "window.opener".
If your website allows users to publish contributive content (eg comments, customer reviews, etc.), be sure to automate the addition of this protection. Otherwise, a user could easily exploit this breach.
The following links may be exposed to this vulnerability:
<a href="http://www.tamalanwar.com" target="_blank" rel="nofollow">Tamal Anwar</a>
One resource on this page is for public use
By default, the browser accepts to perform AJAX requests, or to retrieve web fonts, only on the same domain name of the page. So a font provided by toto.com can only be used by the pages of toto.com. This prevents misuse of your resources by any site.
Some resources are public, and explicitly want to be available to everyone (eg Google Fonts). In this case, the HTTP header Access-Control-Allow-Origin can be used with the value "*". You should, however, use this property if your resource has aimed to be used by the greatest number. Otherwise, we recommend that you keep the default, or set a specific domain name in the "Access-Control-Allow-Origin" HTTP header.
You should be aware of the following resource, that uses a Access-Control-Allow-Origin: * HTTP header. Make sure it is actually intended to be used by pages from all domain names:
It appears these files are hosted by a third-party, so they may not be within your control. However, you should consider any alternative to these resources to improve your page performance.
Well done, these best practices are respected
The secure version is used systematically
Redirect users using the HTTP version of the page to the HTTPs version.
HTTPs redirect
This page uses HTTPS, however your visitors can still browse the HTTP version. You should perform a redirect to secure the browsing of your users accessing the page using the HTTP protocol.
Your users are automatically redirected to the secure version of the page.
You do not use too long inline scripts
Any script with a significant size should let the browser cached them in order to reduce loading time/improve performance of your returning visitor.
Inline scripts / cache policy
"inline" scripts allow to integrate easily small portions of scripts directly in the HTML code. Example:
<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']...,'/analytics.js','ga');
ga('create', 'UA-11111111-1', 'mywebsite.com');
</script>
By doing so, you avoid making a request to the server to retrieve the resource. So inline scripts represent a performance gain if you want to integrate small scripts.
However, once a script has a fairly substantial size, we advise you to outsource it and perform a request to retrieve it. So you will benefit from the cache mechanism.
What should I do?
Outsource your scripts with more than 1500 characters in one or more separate files.
You have defined a <meta> 'description'
The page should define a unique description.
Description in search engines
The description of the page may be directly displayed in search engine results pages (SERP):
It allows you to control at best the entry preview in search engines, and to improve the click rate to your page. Learn more.
How to define a page's description?
Use <meta name="description" content="page description"> and place it in the <head> tag.
This page uses WordPress, which does not handle of the description natively. You should use a plugin for adding it. You may - for instance - use SEOPress, a plugin we're actually using for our own blog!This page defines one <meta> description:
Kami adalah penjual HAMMER OF THOR terpercaya karena obat kuat hammer ini asli di website ini
This page uses only standard image formats
The images that use a non-standard format may not be indexed by search engines.
Only these image formats are considered standard on the web: jpeg, jpg, png, gif, svg, ico, webp. You should consider an alternative to any other format.
Moreover, remember to treat the text around your images: some search engines analyze approximately the 10 words preceding and following the image in order to add a context to the image.
No frameset, frame and noframes tags detected
These tags are obsolete, due to several issues related to the navigation consistency, SEO or browsers' bookmark features for example.
None of these tags is detected on this page.
The use of the iframe tag is prefered.
This page specifies a <title> tag
The page should define a unique title (using a <title> tag).
Use of titles by search engines
Once properly configured, the page title can be displayed in the search engine results page:
Using a suitable title is a major criterion for SEO. It allows you to control at best what is displayed in search results pages, and determine the keywords you want your site pops out.
How to define the title of a web page?
The title of the page is specified into the <title> tag, which must be placed into the <head> tag, at the beginning of the code.
This page defines a title the title tag.
Here is the page's title:
PENJUAL HAMMER OF THOR TERPERCAYA (THORS HAMMER)