Quality and Performance report

http://24biz.biz
Report generated on Sep 11, 2018 1:18:48 AM
Download report
SIMULATED VISITOR: Chrome Paris 8.0/1.5Mbps (Latency: 50 ms) Edit

Requests

33

Weight

363kB

HTML CSS Scripts Images Others
Timeline / Waterfall

First Byte

0.32sec

Start Render

0.63sec

Fully loaded

2.63sec


Browser warnings 0OK
2 Custom timings
Speed Index: 751

Technologies :

AddThis

Google Analytics

Liveinternet

Nginx

jQuery


Share this report by email

Feel free to share this report with your collaborators, by copying the URL from the address bar,
or by clicking below:

Share the report

Tips and best practices:

Things to improve

Cache policy 

0/100

11 of your requests don't define a cache policy

The Expires header is essential for an efficient caching policy. It will significantly impact on the loading time for returning visitor.

The Expires header explained

You can set an expiration date for each resource: as long as the date is not exceeded, the browser stores and uses the resource in cache.

The expiry date of resources is set using the Expires HTTP header:

Expires: Thu, 25 Dec 2014 20:00:00 GMT

You can set a far expiry date for static resources (1 year maximum), and a closer date for resources that change more frequently (at least 48 hours).

When you deploy a new version of your website, remember to rename static resources that have been modified. If you do not change their names, your users will keep resources corresponding to the old versions stored in their caches, and they may find themselves on an unstable version of your page. For example:

myresource.min.20140101.js

See the Yahoo! guidelines on this subject.

This page contains 11 resources without expiry date:


 
Read more
Security 

0/100

You should use a secure connection (HTTPS)

HTTPS guarantees the confidentiality and security of communications over the internet: data is encrypted, so protected against attacks and data corruption.

Google is multiplying its actions to push more and more websites towards HTTPS. Google first added HTTPS in its SEO criteria (see the announcement). Since then, Chrome has been evolving and now highlights the absence of a secure environment in various cases where information is collected from users. Other browsers are also following this trend.

Setting up HTTPS on a website sometimes causes some reservations (cost, impacts on performance, compatibility with technical partners…). But the market has changed in recent years and you should not worry about migrating to HTTPS. You should consider switching your site to HTTPS.

How to set up the HTTPS protocol

You have to set up a certificate you got from a reliable certification authority. Learn more by contacting your website host who can help you getting this certificate. Besides, the following page help you in your migration procedure to the HTTPS protocol.

A free certificate? Try Let's Encrypt!

Let's Encrypt is a free, automated, and open certificate authority. Many hosting providers offer to enable the generation and automatic renewal of free certificates directly from the administration interface of your domain. Contact your website host for more information.


 
Read more
Number of requests 

33/100

Save 9 requests using CSS sprites

Combining images into CSS sprites reduces the number of files the browser has to download and accelerates the loading time.

CSS sprites explained

A CSS sprite is a single file in which several smaller images are grouped and positioned one beside the other. You can display each small image in your page by applying CSS styles, and a single request is necessary to recover all the images. Use this method only for small images, such as icons, so the CSS sprite is not too heavy.

Example

Here is a CSS sprite example :

CSS sprite example

The page also applies the styles associated with the sprite:

.sprite {
background-image: url(img/sprite.png);
background-repeat: no-repeat;
display: block;
}

.sprite-browsers-firefox {
width: 31px;
height: 28px;
background-position: -74px 0;
}

Then you have just to define the right class in your HTML file, and the icon appears:

<span class="sprite sprite-browsers-firefox"></span>
How should I create CSS sprites?

Their creation can be complex, so we recommend using tools that easily generate them for you. Here are a few sprite generators:


10 can be combined in a CSS sprite. The domain name 24biz should use this technique for the following resources:


 
Read more
Security 

0/100

The Content Security Policy is missing

Protect you website from cross-site scripting (XSS) attacks by setting up a restrictive Content-Security-Policy.

XSS attacks explained

XSS attacks are a type of attack in which malicious data is maliciously added to websites. The number of vulnerabilities allowing these attacks is quite large, which is why it is as useful to prevent them as to limit their harmful effects.

You can protect your pages against these attacks and their effects by restricting execution to code portions either legitimized by the domain to which they belong or by a unique integrity token. The code that does not corresponding to this security policy will not be executed and the user will be informed.

You can learn more about XSS attacks on the Open Web Application Security Project (OWASP) Website.

Configure a "Content-Security-Policy" (CSP) HTTP header

Set up a "Content-Security-Policy" (CSP) HTTP header to prevent or limit damage caused by an XSS attack. To specify a security policy configure your server so the response of the first resource contains the "Content-Security-Policy" HTTP header.

Here's an example:

Content-Security-Policy: script-src 'self' https://apis.google.com

In this case, only scripts coming from the current host or https://apis.google.com will be executed.

Read more about the CSP HTTP header. You can also look at the CSP directives specification.

Please, be careful, if the header is misconfigured, some of your content, scripts, or styles may be blocked. That could cause unwanted side effects. Moreover, the restrictions apply to all pages of the website. We recommend you test the different pages of your website before deploying this header in your production environment.


No Content Security Policy on this page: it is more easily exposed to XSS attacks.


 
Read more
Cache policy 

47/100

Specify a 'Vary: Accept-Encoding' header

The following publicly cacheable, compressible resources should have a "Vary: Accept-Encoding" header:

Resources from "24biz"
Resources hosted by a third-party

It appears these files are hosted by a third-party, so they may not be within your control. However, you should consider any alternative to these resources to improve your page performance.

The Vary: Accept-Encoding header allows to cache two versions of the resource on proxies: one compressed, and one uncompressed. So, the clients who cannot properly decompress the files are able to access your page via a proxy, using the uncompressed version. The other users will get the compressed version.


 
Read more
Security 

0/100

This page is exposed to "clickjacking" type attacks

Keep malicious people from integrating your pages into their websites.

Clickjacking explained

This kind of attack happens when your page gets integrated with a malicious website via <frame> or <iframe> tags. By doing this, attackers can persuade users that they are on your own page when they are not. The unsuspecting user may enter personal information that is visible on and thus vulnerable to the malicious website.

To avoid this, always indicate which domains have permission to integrate your pages.

How to prevent clickjacking?

There are two main ways to prevent that behavior.

1/ Configure a "X-Frame-Options" HTTP header. Configure your server so the main resource response includes the "X-Frame-Options" HTTP header.

Three values may be defined:

  • DENY to prevent any frame or iframe from integrating the page;
  • SAMEORIGIN to authorize only frames from the same domain name;
  • ALLOW-FROM uri to indicate the domains allowed to integrate a page into frame (however is not compatible with some browsers)
  • 2/ Define an explicit frame-ancestors directive into a Content-Security-Policy HTTP Header. "frame-ancestors" directive is a newer, hence supported by fewer browsers, approach that will allow your website to authorize multiple domains instead of only the current origin. Setting this directive to 'none' is similar to X-Frame-Options: DENY.

    Which approach to choose? If you only have the current domain to allow, do set up the two security features, for better compatibility with older browsers. If you want to allow multiple domains, you should only implement the frame-ancestors security policy.


    Neither the "X-Frame-Options" HTTP header nor the "frame-ancestors" security police are configured on this page; you are more likely to be exposed to clickjacking.


     
    Read more

    Did you know?

    Quality 

    14 selectors are superfluous

    It's often inefficient to bring too much preciseness in CSS selectors. For example, in the following rule:

    body div .myClass {}

    The body element provides no details to select the desired tags. So you should prefer the following selector:

    div .myClass {}

    In the same way, you do not need to specify a <ul> selector if you specify a <li> behind.

    Here are listed the elements considered as potentially redundant: ul li, ol li, table tr, table th, body.

    The following files declar some useless selectors:

    http://24biz.biz/styles.css

    • .content table[cellpadding="4"] tr > td (line 16, col 1)
    • .content table[cellpadding="4"] tr > td img (line 17, col 1)
    • .content table[cellpadding="4"] tr > td img[src$="/flag.jpg"] (line 18, col 1)
    • .content table[cellpadding="4"] tr > td > br (line 19, col 1)
    • .content table.towns tr (line 21, col 1)
    • .content table.towns tr > td (line 22, col 1)
    • .content table.towns tr > td (line 22, col 1)
    • .sitemap ul li (line 341, col 1)
    • and 6 others


     
    Read more
    Security 

    Do all third parties resources deliver the right content?

    This page loads data from third parties, you should ensure their integrity.

    SubResource Integrity (SRI)

    Use SRI to ensure that a third party resource has not been tampered. Add the integrity attribute to <script> and <link> tags loading this kind of resource. Example:

    <script src="https://exemple.com/exemple-framework.js"
    integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
    crossorigin="anonymous">
    </script>

    The integrity attribute value is equal to the base64-encoded hash (SHA) of the resource. The browser compares this hash with the downloaded content in order to determine if the resource matches the expected content.

    You can create the SHA thanks to several tool. In command line, you can use openssl. You can also test some online tools, as srihash.org or report-uri.io. Learn more about SubResource Integrity.


     
    Read more
    jQuery 

    More informations about jQuery performance

    jQuery is the most used JavaScript library. Upgrade your website performance respecting the jQuery best practices. We recommend that you learn the basics of the jQuery performance, reading the following link: http://learn.jquery.com/performance/.


     
    Read more
    Number of requests 

    Resources distribution by domain

    This page loads data from 11 domains. This best practice retrieves the following metrics for each of these domains:

    • Loading Time (Cumulative): total time spent to load all the resources
    • Server Time (Cumulative): total time spent to retrieve the responses from the server (TCP connection + wait for first byte)
    • Weight: data amount loaded
    • Number of requests

    Here is the list of all the domains used by the page:

    DomainTime (ms)Server Time (ms)Weight (kB)Requests
    24biz.biz 3177 2687 76 14
    s7.addthis.com 595 333 216 5
    cdn.ywxi.net 515 372 47 3
    counter.yadro.ru 505 341 2 2
    images.dmca.com 2087 1962 4 2
    www.google-analytics.com 359 270 15 2
    m.addthis.com 386 210 1 1
    c.hit.ua 377 181 1 1
    www.mcafeesecure.com 652 616 0 1
    s3-us-west-2.amazonaws.com 461 426 1 1
    m.addthisedge.com 345 308 1 1


     
    Read more
    Security 

    9 cookies may be corrupted on the client side

    A cookie must be manipulated on the server side. It is not recommended to use it on the browser.

    HTTP cookies

    HTTP cookies are set by the server to the web browser via the Set-Cookie HTTP header. Then, the browser transmits the cookies to the server during the following requests by using the Cookie HTTP header.

    You should ensure that the cookie cannot be exploited on the client side.

    The HttpOnly directive

    By adding the HttpOnly instruction in the Set-Cookie HTTP header, the server informs the browser that it is not allowed to manipulate the cookie. The client side can only get and return the cookie sent by the server: the cookie only transit on the HTTP protocol but can not be updated via JavaScript for example. Read this blog post to learn more.

    Some HTTP cookies could be exploited during a XSS attack. You should consider adding the HttpOnly directive for additional security:

    counter.yadro.ru/hit?q;t23.2;r;s3000*1920*24;uht[...]z.biz/;0.8221129338127218

    • Set-Cookie: VID=3KgZnz3WlM9k1RbnVx00K14B; path=/; expires=Tue, 10 Sep 2019 21:00:00 GMT; domain=.yadro.ru

    www.mcafeesecure.com/rpc/ajax?do=tmjs-visit&host[...]z.biz&rand=1536628732290

    • set-cookie: AWSALB=9ubUrk4tW/VpaMgMToyEbxYlg/SAufNbhegxow99DMUpWDyAU9xmuperzQiRPB8NoYXLTZOTxAYQtgkVvRbgJLQJrzF0D3/fmH92wbS3hBZT55nczxH2NSeevxfY; Expires=Tue, 18 Sep 2018 01:18:52 GMT; Path=/

    m.addthis.com/live/red_lojson/300lo.json?si=5b97[...]bs.oln9_61979541777248230

    • Set-Cookie: ouid=5b9717fd00014e2c6979efae33c200eb18c496753e36a5e78d4b;Path=/;Domain=.addthis.com;Expires=Sun, 06-Oct-2019 01:18:53 GMT
    • Set-Cookie: di2=aUpuc#$M`##Ei##Eh##Eg##Ef##EeOB^OA}OA|LHc7<i6Ll6Hq0HV;Path=/;Domain=.addthis.com;Expires=Sun, 06-Oct-2019 01:18:53 GMT
    • Set-Cookie: bt2=5b9717fd001ss0002001Cs0002;Path=/;Domain=.addthis.com;Expires=Sat, 25-May-2019 01:18:53 GMT
    • Set-Cookie: uid=5b9717fd86cdba83;Path=/;Domain=.addthis.com;Expires=Sun, 06-Oct-2019 01:18:53 GMT
    • Set-Cookie: vc=2;Path=/;Domain=.addthis.com;Expires=Sun, 06-Oct-2019 01:18:53 GMT

    counter.yadro.ru/hit?t23.2;r;s3000*1920*24;uhttp[...]z.biz/;0.8221129338127218

    • Set-Cookie: FTID=1RbnVx3l4Fvk1RbnVx00K143; path=/; expires=Tue, 10 Sep 2019 21:00:00 GMT; domain=.yadro.ru

    c.hit.ua/hit?i=72419&g=0&x=4&s=1&c=1&t=0&w=3000&[...]&r=&u=http%3A//24biz.biz/

    • Set-Cookie: uid=94639255.1536628733.1667369461; path=/; domain=.hit.ua; expires=Fri, 10 Sep 2021 01:18:53 GMT


     
    Read more
    Security 

    Do target="_blank" links introduce a security leak on this page?

    Using the target="_blank" attribute is rarely recommended. Nevertheless, if you need to use this attribute, note that a security leak could cause harm to your visitors, particularly if your site is open to visitor contributions.

    It allows the targeted page to manipulate the window.opener.location property, and thus to perform a redirect within the parent tab. When the user gets back to the parent tab, he can be facing a malicious website (phishing, etc).

    Even without being malicious, a website opened via a target="_blank" link can degrade the performance of the site that opened it, because most browsers share the same thread between source and target websites.

    We recommend you to add the rel=noreferrer attribute when using a target = _blank to an external website. This will block access to "window.opener".
    If your website allows users to publish contributive content (eg comments, customer reviews, etc.), be sure to automate the addition of this protection. Otherwise, a user could easily exploit this breach.

    The following links may be exposed to this vulnerability:

    • <a href="http://24biz.biz/blog/2018/06/18/why-do-people-take-out-short-term-loans-and-for-what-needs/" target="_blank"><font color="white">"Why do people take out short-term loans and for what needs?"...
    • <a href="//www.liveinternet.ru/click" target="_blank"><img src="//counter.yadro.ru/hit?t23.2;r;s3000*1920*24;uhttp%3A//24biz.biz/;0.8221129338127218" alt="" title="LiveInternet: " border="0" width="88...
    • <a href="http://hit.ua/?x=72419" target="_blank" rel="nofollow">
      <script language="javascript" type="text/javascript"></script>
      <script language="javascript1.1" type="text/javascript"></script>
      <scrip...


     
    Read more

    Well done, these best practices are respected

    Accessibility 

    100/100

    No empty "src" attribute detected

    The "src" attribute allow to access another resource. Nothing justifies their use with empty values.

    All your src attributes precise a target. That's a best practice.


     
    Read more
    Browser rendering 

    100/100

    Your HTML response is not too heavy

    Why reduce the code amount of a page?

    Before a web page can be displayed, the browser must, among other things, download it, parse it and model it into a document that can be understood by the rendering engine. If the amount of code contained in the page is too large, these steps are slowed down and the rendering is delayed.

    How to reduce the amount of code?

    Your HTML response should contain only the information that is immediately necessary to display the visible area of the page. Move inline information to external files (JS for scripts, CSS for styles, asynchronous queries for additional content) and simplify the HTML structure of your page.


     
    Read more
    Cache policy 

    100/100

    You do not use too long inline scripts

    Any script with a significant size should let the browser cached them in order to reduce loading time/improve performance of your returning visitor.

    Inline scripts / cache policy

    "inline" scripts allow to integrate easily small portions of scripts directly in the HTML code. Example:

    <script type="text/javascript">
        (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']...,'/analytics.js','ga');
        ga('create', 'UA-11111111-1', 'mywebsite.com');
    </script>

    By doing so, you avoid making a request to the server to retrieve the resource. So inline scripts represent a performance gain if you want to integrate small scripts.

    However, once a script has a fairly substantial size, we advise you to outsource it and perform a request to retrieve it. So you will benefit from the cache mechanism.

    What should I do?

    Outsource your scripts with more than 1500 characters in one or more separate files.


     
    Read more
    Accessibility 

    100/100

    <noscript> tag detected

    This page uses noscript tag. It allows to display a message when JavaScript is disabled by the user.


     
    Read less
    SEO 

    100/100

    This page defines <h1> and <h2> tags

    We recommend putting page keywords in at least the h1 and h2 tags. Search engines use the h1, h2, and h3 tags for SEO purposes.
    This page contains:

    • 1 <h1> element(s)
    • 2 <h2> element(s)
    • 7 <h3> element(s)


     
    Read more
    Quality 

    100/100

    No nested tables detected

    table tag should only be used to render ordered data. Handle the elements layout with CSS instructions.

    You can use colspan and rowspan properties to represent complex data.

    No nested table found in this page.


     
    Read more