Quality and Performance report

Report generated on Aug 5, 2018 10:27:39 AM
Download report
Not so bad!
But still far from perfection






See your priorities


SIMULATED VISITOR: Chrome Paris 8.0/1.5Mbps (Latency: 50 ms) Edit





HTML CSS Scripts Images Others
Timeline / Waterfall

First Byte


Start Render


Fully loaded


Browser warnings 0OK
HTTP/2 Ready: 100%
Speed Index: 1063

Technologies :


Google AdSense

Google Analytics



Twitter Bootstrap


Share this report by email

Feel free to share this report with your collaborators, by copying the URL from the address bar,
or by clicking below:

Share the report

Tips and best practices:

Things to improve



Consider using jQuery 1.12

You webpage uses jQuery 1.11.1. You should migrate to the latest version of the 1.x branch: jQuery 1.12, that contains several bug and security fixes.

Should I migrate to the last version of jQuery ?

Migrating from a 1. x version of jQuery to the latest version (3.x) can have many unintended impacts and means losing compatibility with older browsers. You should only consider abandoning jQuery 1.x as a part of a complete overhaul of your Front-End infrastructure. As you reflect on it, you will surely discover that you might not need jQuery.

Read more


The Content Security Policy is missing

Protect you website from cross-site scripting (XSS) attacks by setting up a restrictive Content-Security-Policy.

XSS attacks explained

XSS attacks are a type of attack in which malicious data is maliciously added to websites. The number of vulnerabilities allowing these attacks is quite large, which is why it is as useful to prevent them as to limit their harmful effects.

You can protect your pages against these attacks and their effects by restricting execution to code portions either legitimized by the domain to which they belong or by a unique integrity token. The code that does not corresponding to this security policy will not be executed and the user will be informed.

You can learn more about XSS attacks on the Open Web Application Security Project (OWASP) Website.

Configure a "Content-Security-Policy" (CSP) HTTP header

Set up a "Content-Security-Policy" (CSP) HTTP header to prevent or limit damage caused by an XSS attack. To specify a security policy configure your server so the response of the first resource contains the "Content-Security-Policy" HTTP header.

Here's an example:

Content-Security-Policy: script-src 'self' https://apis.google.com

In this case, only scripts coming from the current host or https://apis.google.com will be executed.

Read more about the CSP HTTP header. You can also look at the CSP directives specification.

Please, be careful, if the header is misconfigured, some of your content, scripts, or styles may be blocked. That could cause unwanted side effects. Moreover, the restrictions apply to all pages of the website. We recommend you test the different pages of your website before deploying this header in your production environment.

No Content Security Policy on this page: it is more easily exposed to XSS attacks.

Read more
Browser rendering 


Avoid CSS @import

Using CSS @import allows to add external stylesheet. In fact browsers cannot download them at the same time, this may add a delay to the rendering of the page. It is better to use the link tag. See more information.

The following external stylesheets were included in https://swiatliczb.pl/template/css/bootstrap.css using @import:

  • https://fonts.googleapis.com/css?family=Lato:400,700,400italic
  • //fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,4...

The following external stylesheets were included in https://swiatliczb.pl/template/css/poprawki.css using @import:

  • //fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,4...

Read more
Browser rendering 


Defer parsing of JavaScript

JavaScript can significantly slow down a page display, especially if it is necessary to download an external script.

Defer the use of JavaScript as much as possible to provide a faster start for the page display.

How can I fix this?

First of all, distinguish what portions of your JS is critical and must be loaded as soon as possible, and put them in a specific external file. Keep this file as streamlined as possible, and defer the parsing or execution of all other JS files (learn more).

Use one of the methods below to defer parsing for external JavaScript files:

  • use the async attribute;
  • use the defer attribute;
  • append the script to the DOM in JavaScript during the onload event;
  • make sure your scripts are placed at the bottom of the page (ideally at the end of the body).

36.3KiB of JavaScript is parsed during initial page load. Defer parsing JavaScript to reduce blocking of page rendering.

Read more


2 cookies are not secure

A cookie sent from the server to a web browser via the HTTPs protocol should only transit on a secure connection (except for some specific cases).

HTTP cookies

HTTP cookies are set by the server to the web browser via the Set-Cookie HTTP header. Then, the browser transmits the cookies to the server for the next requests by using the Cookie HTTP header. When the server uses a secure connection (HTTPs), the cookie probably contains some sensitive data: you have to guarantee that the cookie cannot be exploited on an insecure connection.

The Secure directive

By adding the Secure instruction in the Set-Cookie HTTP header, the server informs the browser that it is allowed to transmit the cookie over secure connection only. Read this blog post to learn more.

Caution: Ensure that the HTTP to HTTPS redirect is activated on your website. Otherwise, the Secure cookie may not be sent on HTTP request.

The following Cookies are not secure, you should add the Secure instruction in the Set-Cookie HTTP header:


  • set-cookie: PHPSESSID=d5f5c41bff8bacc2a7d63b6d2790e108; path=/


  • set-cookie: test_cookie=CheckForPermission; expires=Sun, 05-Aug-2018 10:42:42 GMT; path=/; domain=.doubleclick.net

Read more


This page is exposed to "clickjacking" type attacks

Keep malicious people from integrating your pages into their websites.

Clickjacking explained

This kind of attack happens when your page gets integrated with a malicious website via <frame> or <iframe> tags. By doing this, attackers can persuade users that they are on your own page when they are not. The unsuspecting user may enter personal information that is visible on and thus vulnerable to the malicious website.

To avoid this, always indicate which domains have permission to integrate your pages.

How to prevent clickjacking?

There are two main ways to prevent that behavior.

1/ Configure a "X-Frame-Options" HTTP header. Configure your server so the main resource response includes the "X-Frame-Options" HTTP header.

Three values may be defined:

  • DENY to prevent any frame or iframe from integrating the page;
  • SAMEORIGIN to authorize only frames from the same domain name;
  • ALLOW-FROM uri to indicate the domains allowed to integrate a page into frame (however is not compatible with some browsers)
  • 2/ Define an explicit frame-ancestors directive into a Content-Security-Policy HTTP Header. "frame-ancestors" directive is a newer, hence supported by fewer browsers, approach that will allow your website to authorize multiple domains instead of only the current origin. Setting this directive to 'none' is similar to X-Frame-Options: DENY.

    Which approach to choose? If you only have the current domain to allow, do set up the two security features, for better compatibility with older browsers. If you want to allow multiple domains, you should only implement the frame-ancestors security policy.

    Neither the "X-Frame-Options" HTTP header nor the "frame-ancestors" security police are configured on this page; you are more likely to be exposed to clickjacking.

    Read more

    Did you know?

    Number of requests 

    Resources distribution by domain

    This page loads data from 11 domains. This best practice retrieves the following metrics for each of these domains:

    • Loading Time (Cumulative): total time spent to load all the resources
    • Server Time (Cumulative): total time spent to retrieve the responses from the server (TCP connection + wait for first byte)
    • Weight: data amount loaded
    • Number of requests

    Here is the list of all the domains used by the page:

    DomainTime (ms)Server Time (ms)Weight (kB)Requests
    swiatliczb.pl 1521 1340 61 8
    fonts.gstatic.com 1664 1245 91 7
    pagead2.googlesyndication.com 702 545 125 4
    www.facebook.com 559 339 129 3
    googleads.g.doubleclick.net 560 490 8 2
    fonts.googleapis.com 242 216 1 1
    adservice.google.ie 268 221 1 1
    ajax.googleapis.com 329 197 34 1
    connect.facebook.net 206 165 69 1
    adservice.google.com 243 219 1 1
    staticxx.facebook.com 54 51 14 1

    Read more

    2 cookies may be corrupted on the client side

    A cookie must be manipulated on the server side. It is not recommended to use it on the browser.

    HTTP cookies

    HTTP cookies are set by the server to the web browser via the Set-Cookie HTTP header. Then, the browser transmits the cookies to the server during the following requests by using the Cookie HTTP header.

    You should ensure that the cookie cannot be exploited on the client side.

    The HttpOnly directive

    By adding the HttpOnly instruction in the Set-Cookie HTTP header, the server informs the browser that it is not allowed to manipulate the cookie. The client side can only get and return the cookie sent by the server: the cookie only transit on the HTTP protocol but can not be updated via JavaScript for example. Read this blog post to learn more.

    Some HTTP cookies could be exploited during a XSS attack. You should consider adding the HttpOnly directive for additional security:


    • set-cookie: PHPSESSID=d5f5c41bff8bacc2a7d63b6d2790e108; path=/


    • set-cookie: test_cookie=CheckForPermission; expires=Sun, 05-Aug-2018 10:42:42 GMT; path=/; domain=.doubleclick.net

    Read more

    11 resources on this page are for public use

    By default, the browser accepts to perform AJAX requests, or to retrieve web fonts, only on the same domain name of the page. So a font provided by toto.com can only be used by the pages of toto.com. This prevents misuse of your resources by any site.

    Some resources are public, and explicitly want to be available to everyone (eg Google Fonts). In this case, the HTTP header Access-Control-Allow-Origin can be used with the value "*". You should, however, use this property if your resource has aimed to be used by the greatest number. Otherwise, we recommend that you keep the default, or set a specific domain name in the "Access-Control-Allow-Origin" HTTP header.

    You should be aware of the following resources, that use a Access-Control-Allow-Origin: * HTTP header. Make sure they are actually intended to be used by pages from all domain names:

    It appears these files are hosted by a third-party, so they may not be within your control. However, you should consider any alternative to these resources to improve your page performance.

    Read more

    Your server should be able to communicate with HTTP while it uses a HTTPS connection

    Take precautionary measures against attacks like "man in the middle" by making sure to only communicate in HTTPS with the server.

    The HTTP Strict Transport Security (HSTS) Header

    When you communicate with a server through a secure connection, every sent request towards this server should use the HTTPS protocol. The HTTP HSTS header allows to indicate to the browser that all the requests sent to the domain concerned must be done via HTTPS. If the URL is presented under "http://...", the web browser is automatically going to replace it by "https://...".

    However, we advise you to not set this header unless your entire website serves its resources in HTTPS.

    For further information, you can read this article.

    No HSTS header has been detected on this page.

    Read more

    This page contains 49 links

    Two kind of links exist:

    • Internal links that refer to pages with the same domain name;
    • External links that point to other websites (must be relevant and point towards quality content).

    If you reference many links, you can ask the SEO crawlers to consider only some of them, by adding the rel=nofollow attribute to the irrelevant ones (e.g., advertisements).

    Here is the distribution of 49 links present in the page:

    • 49 internal links (100,00%)
    • No "follow" external link (0,00%)
    • No "nofollow" external link (0,00%)

    Read more
    Data amount 

    This page does not load too much data (533kB)

    A too high page weight slows down the display, especially on low speed connections. This can lead to frustration for users paying for data (see whatdoesmysitecost.com).

    Evaluate the Weight of my Web Page

    In February 2016, the average weight of 100 most visited websites in the world was 1,38MB.

    How to reduce the weight of my page?

    You can report to our "Data amount" category to discover the possible optimizations in your case. Images are often involved.
    Moreover, make sure to build your web pages in order to load data that is essential to the user experience (rendering optimization of the critical path).
    For other contents (social networking plugins, advertising, content at the bottom of the page ...), it is better to delay the loading (asynchronous, lazy-loading ...), so they don't override priority contents.

    We strongly recommend that you define performance budgets before you carry out your web projects. These budgets can be settled through the Dareboost monitoring feature.

    We have established the weight distribution of the page by resource type:

    • JavaScript : 69,80% of total weight
    • Font : 16,83% of total weight
    • Texts : 7,84% of total weight
    • CSS : 4,39% of total weight
    • Images : 1,14% of total weight

    Here is the weight of the 10 heaviest resources over the network, and that are necessary to load the page:

    Read more

    Well done, these best practices are respected



    No BOM (Byte Order Mark) detected

    Some parsers are not able to interpret a page with a BOM in it.

    What is the BOM ?

    The BOM is a hidden character located in the beginning of the page, aiming at helping to determine what encoding the page uses. But the best practices of the web prompt the use of the HTTP Content-Type header in order to define the encoding used by the page. The BOM has no reason to be in this context.

    Aside the fact that this kind of indicator is useless on the web, it can lead to a certain number of issues. This is the case for example of the W3C validation that is going to try to interpret the first character which corresponds to the BOM. Then, the document will not be valid.

    No resource use a BOM.

    Read more


    Only one <base> element is defined

    Your page contains one <base> elements.

    The browser will only use the first values available for the href and the target attributes. Other values will be ignored. Please define only one <base> element with these values.

    Read more


    Your <img> tags use an alt attribute

    Moreover, the alt attribute is also an important criterion for SEO. Indeed, search engines crawlers cannot parse graphic contents. That is why they use the alternative text to return consistent results, like in Google images.

    <img src="product.jpg" alt="My product description"/>

    The alt attribute is used in several cases unrelated to SEO:

    • When a screen reader is in use for accessibility purposes;
    • While image is loading, particularly for slow connections;
    • When the image file is not found.

    You have 1 img tag that defined the alt attribute.

    If nothing seems appropriate for describing an image, you might set an empty text. We advise you to make sure the majority of your images define a relevant text. Read the W3C recommendations here.

    Read more
    Cache policy 


    You do not use too long inline scripts

    Any script with a significant size should let the browser cached them in order to reduce loading time/improve performance of your returning visitor.

    Inline scripts / cache policy

    "inline" scripts allow to integrate easily small portions of scripts directly in the HTML code. Example:

    <script type="text/javascript">
        ga('create', 'UA-11111111-1', 'mywebsite.com');

    By doing so, you avoid making a request to the server to retrieve the resource. So inline scripts represent a performance gain if you want to integrate small scripts.

    However, once a script has a fairly substantial size, we advise you to outsource it and perform a request to retrieve it. So you will benefit from the cache mechanism.

    What should I do?

    Outsource your scripts with more than 1500 characters in one or more separate files.

    Read more


    This page defines <h1> and <h2> tags

    We recommend putting page keywords in at least the h1 and h2 tags. Search engines use the h1, h2, and h3 tags for SEO purposes.
    This page contains:

    • 1 <h1> element(s)

    Read more


    No frameset, frame and noframes tags detected

    These tags are obsolete, due to several issues related to the navigation consistency, SEO or browsers' bookmark features for example.

    None of these tags is detected on this page.

    The use of the iframe tag is prefered.

    Read more