Quality and Performance report

Report generated on Sep 26, 2018 6:40:59 PM
Download report
SIMULATED VISITOR: Chrome Paris 8.0/1.5Mbps (Latency: 50 ms) Edit





HTML CSS Scripts Images Others
Timeline / Waterfall

First Byte


Start Render


Fully loaded


Browser warnings 0OK
HTTP/2 Ready: 39%
Speed Index: 926

Technologies :

Google Font API



Twitter Emoji (Twemoji)




Share this report by email

Feel free to share this report with your collaborators, by copying the URL from the address bar,
or by clicking below:

Share the report

Tips and best practices:

Things to improve

Data amount 


1 image is resized on browser side

Images must not be delivered larger than they are actually displayed to avoid loading unnecessary data.

Resizing images explained

Resizing images on browser side to reduce their rendering size is not recommended.

For instance, if your image is set to render at 300px by 300px on a particular page, don't upload the original 1000px by 1000px version of that image to your page. Instead, resize/crop the image to fit the display size and then upload it to your site to decrease the page weight and loading time.

Using images with responsive designs or retina screens?

Responsive website designs and retina screens do not justify an image resizing. Even in such cases, some methods exist to deliver your pictures to the right size. We recommend reading the following resources:

Don't resize the following image:

Read more
Browser rendering 


1 critical dependency detected

The failure of a third-party content provider could bring an overall breakdown of your website.

Single Point Of Failure

A Frontend Single Point Of Failure (SPOF) is a critical dependency on a third-party content, that may block the entire display of your page in case of failure of the content provider.

As an example, if your web page uses a blocking script hosted by Google’s servers, then your page is reliant on any failure from this script. Please read this blog post dedicated to SPOF for more information.

How to avoid SPOF?

As far as possible, exclude any of these dependencies, even from renowned providers. If you have to use a third-party content, ensure that you choosed an asynchronous integration and that you have a fallback in case of problem.

We are checking if the tested web page depends (in a critical way) on some of most widespread external resources (googleapis, typekit,...). That are known as Frontend SPOF (Single Point Of Failure) cases.

This resource represents a SPOF for this page:

Read more
Browser rendering 


Defer parsing of JavaScript

JavaScript can significantly slow down a page display, especially if it is necessary to download an external script.

Defer the use of JavaScript as much as possible to provide a faster start for the page display.

How can I fix this?

First of all, distinguish what portions of your JS is critical and must be loaded as soon as possible, and put them in a specific external file. Keep this file as streamlined as possible, and defer the parsing or execution of all other JS files (learn more).

Use one of the methods below to defer parsing for external JavaScript files:

  • use the async attribute;
  • use the defer attribute;
  • append the script to the DOM in JavaScript during the onload event;
  • make sure your scripts are placed at the bottom of the page (ideally at the end of the body).

The WP Rocket Wordpress plugin has a "Load JavaScript deferred" option, feel free to try it!

104.5KiB of JavaScript is parsed during initial page load. Defer parsing JavaScript to reduce blocking of page rendering.

Read more


You should use a secure connection (HTTPS)

HTTPS guarantees the confidentiality and security of communications over the internet: data is encrypted, so protected against attacks and data corruption.

Google is multiplying its actions to push more and more websites towards HTTPS. Google first added HTTPS in its SEO criteria (see the announcement). Since then, Chrome has been evolving and now highlights the absence of a secure environment in various cases where information is collected from users. Other browsers are also following this trend.

Setting up HTTPS on a website sometimes causes some reservations (cost, impacts on performance, compatibility with technical partners…). But the market has changed in recent years and you should not worry about migrating to HTTPS. You should consider switching your site to HTTPS.

How to set up the HTTPS protocol

You have to set up a certificate you got from a reliable certification authority. Learn more by contacting your website host who can help you getting this certificate. Besides, the following page help you in your migration procedure to the HTTPS protocol.

A free certificate? Try Let's Encrypt!

Let's Encrypt is a free, automated, and open certificate authority. Many hosting providers offer to enable the generation and automatic renewal of free certificates directly from the administration interface of your domain. Contact your website host for more information.

Read more


You should define a 'description' meta tag

The page should define a unique description.

Description in search engines

The description of the page may be directly displayed in search engine results pages (SERP):

It allows you to control at best the entry preview in search engines, and to improve the click rate to your page. Learn more.

How to define a page's description?

Use <meta name="description" content="page description"> and place it in the <head> tag.

This page uses WordPress, which does not handle of the description natively. You should use a plugin for adding it. You may - for instance - use SEOPress, a plugin we're actually using for our own blog!

No <meta> description has been found on this page. Please provide a <meta> description.

Read more


The Content Security Policy is missing

Protect you website from cross-site scripting (XSS) attacks by setting up a restrictive Content-Security-Policy.

XSS attacks explained

XSS attacks are a type of attack in which malicious data is maliciously added to websites. The number of vulnerabilities allowing these attacks is quite large, which is why it is as useful to prevent them as to limit their harmful effects.

You can protect your pages against these attacks and their effects by restricting execution to code portions either legitimized by the domain to which they belong or by a unique integrity token. The code that does not corresponding to this security policy will not be executed and the user will be informed.

You can learn more about XSS attacks on the Open Web Application Security Project (OWASP) Website.

Configure a "Content-Security-Policy" (CSP) HTTP header

Set up a "Content-Security-Policy" (CSP) HTTP header to prevent or limit damage caused by an XSS attack. To specify a security policy configure your server so the response of the first resource contains the "Content-Security-Policy" HTTP header.

Here's an example:

Content-Security-Policy: script-src 'self' https://apis.google.com

In this case, only scripts coming from the current host or https://apis.google.com will be executed.

Read more about the CSP HTTP header. You can also look at the CSP directives specification.

Please, be careful, if the header is misconfigured, some of your content, scripts, or styles may be blocked. That could cause unwanted side effects. Moreover, the restrictions apply to all pages of the website. We recommend you test the different pages of your website before deploying this header in your production environment.

No Content Security Policy on this page: it is more easily exposed to XSS attacks.

Read more


This page is exposed to "clickjacking" type attacks

Keep malicious people from integrating your pages into their websites.

Clickjacking explained

This kind of attack happens when your page gets integrated with a malicious website via <frame> or <iframe> tags. By doing this, attackers can persuade users that they are on your own page when they are not. The unsuspecting user may enter personal information that is visible on and thus vulnerable to the malicious website.

To avoid this, always indicate which domains have permission to integrate your pages.

How to prevent clickjacking?

There are two main ways to prevent that behavior.

1/ Configure a "X-Frame-Options" HTTP header. Configure your server so the main resource response includes the "X-Frame-Options" HTTP header.

Three values may be defined:

  • DENY to prevent any frame or iframe from integrating the page;
  • SAMEORIGIN to authorize only frames from the same domain name;
  • ALLOW-FROM uri to indicate the domains allowed to integrate a page into frame (however is not compatible with some browsers)
  • 2/ Define an explicit frame-ancestors directive into a Content-Security-Policy HTTP Header. "frame-ancestors" directive is a newer, hence supported by fewer browsers, approach that will allow your website to authorize multiple domains instead of only the current origin. Setting this directive to 'none' is similar to X-Frame-Options: DENY.

    Which approach to choose? If you only have the current domain to allow, do set up the two security features, for better compatibility with older browsers. If you want to allow multiple domains, you should only implement the frame-ancestors security policy.

    Neither the "X-Frame-Options" HTTP header nor the "frame-ancestors" security police are configured on this page; you are more likely to be exposed to clickjacking.

    Read more
    Number of requests 


    Group 6 JavaScript files

    Each HTTP request affects the performance of your webpage (e.g., roundtrip time and bandwidth usage).

    For example, it is better to request a unique 50 kB file instead of requesting 10 files that are 5 kB in size.

    How should I distribute scripts?

    Distribute your scripts by integrating them directly into your HTML or grouping them in files. We recommend using the latter method to take advantage of caching mechanisms.

    You should consider grouping the following resources:

    Read more


    1 title tag is empty

    <h1>, <h2> and <h3> tags should contain keywords related to the content.

    On this page, one <h1> tag is empty, and have to define a content.

    Read more


    Provide a favicon

    No favicon found on this page. You should put one in your head tag as shown below:

    <link rel="icon" type="image/png" href="/path/favicon.png" />
    <!--[if IE]><link rel="shortcut icon" type="image/x-icon" href="/path/favicon.ico" /><![endif]-->

    Favicon is a small image providing an icon to a website. It's located in the root of your server and the browser will always request it. It is better not to respond with a 404 HTTP code (not found).

    Moreover, this file will be asked on every requested web page, so make it cachable: the client will request it only once. See more information.

    Read more


    Block access to the entire page when an XSS attack is suspected

    Make sure that the user’s browser does all it can to prevent an XSS-type attack.

    XSS attacks

    An XSS-type attack (XSS stands for Cross-Site Scripting) aims at injecting content into the page.

    Recent browsers have an integrated protection against XSS attacks. However, this protection can be disabled. To prevent any harm to the user, we recommend that you force the activation of the XSS Protection, and should an XSS attack be detected, block access to any of the page content.

    Solution: configure an "X-XSS-Protection" HTTP header

    Add the "X-XSS-Protection" HTTP header with "1; mode=block" as value (1 to indicate the activation, and mode=block to indicate that the entire page must be blocked if a problem occurs).

    The XSS protection is disabled on this page.

    Read more


    The !important declaration is used 23 times

    If you abuse of this declaration, you should consider a review of your CSS code. We tolerate 10 occurrences of the !important declaration before penalizing your score.

    Here are the !important detected:

    http://ubezpieczeniaturystyczne.online/ (inline 0)

    • img.wp-smiley, img.emoji {display: inline !important} (line 4, col 2)
    • img.wp-smiley, img.emoji {border: none !important} (line 5, col 2)
    • img.wp-smiley, img.emoji {box-shadow: none !important} (line 6, col 2)
    • img.wp-smiley, img.emoji {height: 1em !important} (line 7, col 2)
    • img.wp-smiley, img.emoji {width: 1em !important} (line 8, col 2)
    • img.wp-smiley, img.emoji {margin: 0 .07em !important} (line 9, col 2)
    • img.wp-smiley, img.emoji {vertical-align: -0.1em !important} (line 10, col 2)
    • img.wp-smiley, img.emoji {background: none !important} (line 11, col 2)
    • img.wp-smiley, img.emoji {padding: 0 !important} (line 12, col 2)


    • .screen-reader-text {position: absolute !important} (line 309, col 2)
    • .screen-reader-text {word-wrap: normal !important} (line 311, col 2)
    • .screen-reader-text:focus {clip: auto !important} (line 320, col 2)
    • html[lang="ar"] *, html[lang="ary"] *, html[lang="azb"] *, h... (line 912, col 2)
    • .page-numbers.current .screen-reader-text {position: relativ... (line 1984, col 2)
    • .no-svg .next.page-numbers .screen-reader-text, .no-svg .pre... (line 3204, col 2)
    • .page-numbers.current .screen-reader-text {position: absolut... (line 4129, col 3)
    • form, button, input, select, textarea, .navigation-top, .soc... (line 4194, col 3)
    • and 6 others

    Read more


    Disable the auto detection of resource type

    Protect yourself from malicious exploitation via MIME sniffing.

    MIME-Type sniffing explained

    Internet Explorer and Chrome browsers have a feature called "MIME-Type sniffing" that automatically detects a web resource's type. This means, for example, that a resource identified as an image can be read as a script if its content is a script.

    This property allows a malicious person to send a file to your website to inject malicious code. We advise you to disable the MIME-Type sniffing to limit such activity.

    How to prevent MIME-Type sniffing

    Configure a "X-Content-Type-Options" HTTP header. Add the "X-Content-Type-Options" HTTP header in the responses of each resource, associated to the "nosniff" value. It allows you to guard against such misinterpretations of your resources.

    On this page, you should configure the following resources, that risk being misinterpreted:

    Resources from "ubezpieczeniaturystyczne"
    Resources hosted by a third-party

    It appears these files are hosted by a third-party, so they may not be within your control. However, you should consider any alternative to these resources to improve your page performance.

    Read more


    Your site doesn't use Open Graph properties

    You can help social networks understand information related to the page by using Open Graph properties.

    The Open Graph properties explained

    Several properties allow social networks to learn more about the page's content. We recommend using at least the required properties:

    • <meta property="og:title" content="The title" />
    • <meta property="og:type" content="The type" />
    • <meta property="og:url" content="http://url.com/" />
    • <meta property="og:image" content="http://image.jpg" />

    This information is used to improve links between your page and various social networks, including Facebook. Read more about Open Graph here.

    This page does not provide information to social networks.

    Read more
    Cache policy 


    Do not use too long inline scripts

    Any script with a significant size should let the browser cached them in order to reduce loading time/improve performance of your returning visitor.

    Inline scripts / cache policy

    "inline" scripts allow to integrate easily small portions of scripts directly in the HTML code. Example:

    <script type="text/javascript">
        ga('create', 'UA-11111111-1', 'mywebsite.com');

    By doing so, you avoid making a request to the server to retrieve the resource. So inline scripts represent a performance gain if you want to integrate small scripts.

    However, once a script has a fairly substantial size, we advise you to outsource it and perform a request to retrieve it. So you will benefit from the cache mechanism.

    What should I do?

    Outsource your scripts with more than 1500 characters in one or more separate files.

    You should write this script in a distinct file:

    • window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/11\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emo...

    Read more


    Separate the CSS styles from the HTML tags

    Separating HTML tags and CSS directives improves code readability and promotes factorization.

    How to define CSS styles

    CSS styles are used to format the page. You can use one of three main methods to define them:

    • declare styles in a specific CSS file;
    • declare "inline" styles (<style> tag in your HTML template);
    • declare styles with the "style" attribute of a HTML tag.
    How can I improve my page?

    We recommend grouping your CSS styles in <style> tags or in separate files. That way, the HTML is only responsible for providing the structure of the page, and its layout is outsourced. The <style> attribute should only be generated by some JavaScript code (e.g., if you need to know the screen size).

    This page uses 1 style attribute(s):

    • <svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

    Read more
    Data amount 


    Minify CSS

    Compacting CSS code can save many bytes of data and speed up download and parse times.

    Minify CSS for the following resources to reduce their size by 4.0KiB (26% reduction).

    There are many tools to minify CSS files. You can try YUI Compressor or cssmin.js, recommended by Google.

    Several great plugins are also available for WordPress to handle the minify.You can consider especially the popular WP Rocket or W3 Total Cache plugins.

    If you want to know more about the CSS minification, do not hesitate to read this article on the subject!

    Read more
    Browser rendering 


    Enable Keep-Alive

    The host ubezpieczeniaturystyczne.online should enable Keep-Alive. It serves the following resources.

    Keep-alive allows to send and receive several requests using the same TCP connection (activated by default in HTTP 1.1).

    Read more

    Did you know?


    No HTML code is commented

    Comments allow you to detail a portion of code and help you navigate more efficiently in the DOM. However, make sure no sensitive information is exposed in your comments.

    Well done, none of your comments contains HTML code.

    Read more

    No <noscript> tag is detected

    When a web page uses scripts, it is advised to set at least one noscript tag. It is required to display a message when JavaScript is disabled by the user.

    <script  type="text/javascript">
    document.write('Hello World!')
    <noscript>Your browser does not support JavaScript!</noscript>

    Read more

    More informations about jQuery performance

    jQuery is the most used JavaScript library. Upgrade your website performance respecting the jQuery best practices. We recommend that you learn the basics of the jQuery performance, reading the following link: http://learn.jquery.com/performance/.

    Read more
    Data amount 

    This page does not load too much data (327kB)

    A too high page weight slows down the display, especially on low speed connections. This can lead to frustration for users paying for data (see whatdoesmysitecost.com).

    Evaluate the Weight of my Web Page

    In February 2016, the average weight of 100 most visited websites in the world was 1,38MB.

    How to reduce the weight of my page?

    You can report to our "Data amount" category to discover the possible optimizations in your case. Images are often involved.
    Moreover, make sure to build your web pages in order to load data that is essential to the user experience (rendering optimization of the critical path).
    For other contents (social networking plugins, advertising, content at the bottom of the page ...), it is better to delay the loading (asynchronous, lazy-loading ...), so they don't override priority contents.

    We strongly recommend that you define performance budgets before you carry out your web projects. These budgets can be settled through the Dareboost monitoring feature.

    We have established the weight distribution of the page by resource type:

    • Images : 35,28% of total weight
    • Font : 32,82% of total weight
    • JavaScript : 17,79% of total weight
    • Texts : 7,52% of total weight
    • CSS : 6,60% of total weight

    Here is the weight of the 10 heaviest resources over the network, and that are necessary to load the page:

    Read more

    This page contains 23 links

    Two kind of links exist:

    • Internal links that refer to pages with the same domain name;
    • External links that point to other websites (must be relevant and point towards quality content).

    If you reference many links, you can ask the SEO crawlers to consider only some of them, by adding the rel=nofollow attribute to the irrelevant ones (e.g., advertisements).

    Here is the distribution of 23 links present in the page:

    • 21 internal links (91,30%)
    • 2 "follow" external links (8,70%)
    • No "nofollow" external link (0,00%)

    Read more

    7 resources on this page are for public use

    By default, the browser accepts to perform AJAX requests, or to retrieve web fonts, only on the same domain name of the page. So a font provided by toto.com can only be used by the pages of toto.com. This prevents misuse of your resources by any site.

    Some resources are public, and explicitly want to be available to everyone (eg Google Fonts). In this case, the HTTP header Access-Control-Allow-Origin can be used with the value "*". You should, however, use this property if your resource has aimed to be used by the greatest number. Otherwise, we recommend that you keep the default, or set a specific domain name in the "Access-Control-Allow-Origin" HTTP header.

    You should be aware of the following resources, that use a Access-Control-Allow-Origin: * HTTP header. Make sure they are actually intended to be used by pages from all domain names:

    It appears these files are hosted by a third-party, so they may not be within your control. However, you should consider any alternative to these resources to improve your page performance.

    Read more

    Well done, these best practices are respected

    Browser rendering 


    Your HTML response is not too heavy

    Why reduce the code amount of a page?

    Before a web page can be displayed, the browser must, among other things, download it, parse it and model it into a document that can be understood by the rendering engine. If the amount of code contained in the page is too large, these steps are slowed down and the rendering is delayed.

    How to reduce the amount of code?

    Your HTML response should contain only the information that is immediately necessary to display the visible area of the page. Move inline information to external files (JS for scripts, CSS for styles, asynchronous queries for additional content) and simplify the HTML structure of your page.

    Read more


    No empty element detected

    <p>, <li>, <button>, <legend>, <caption>, <figcaption> and <quote> elements must not be empty because if they are, some screen readers will have difficulties interpreting their presence.

    Remove these empty elements from you code or decorate them with the aria-hidden attribute so that the screen readers ignore them.

    <p aria-hidden="true"></p>

    Read more


    Your <img> tags use an alt attribute

    Moreover, the alt attribute is also an important criterion for SEO. Indeed, search engines crawlers cannot parse graphic contents. That is why they use the alternative text to return consistent results, like in Google images.

    <img src="product.jpg" alt="My product description"/>

    The alt attribute is used in several cases unrelated to SEO:

    • When a screen reader is in use for accessibility purposes;
    • While image is loading, particularly for slow connections;
    • When the image file is not found.

    You have 1 img tag that defined the alt attribute.

    If nothing seems appropriate for describing an image, you might set an empty text. We advise you to make sure the majority of your images define a relevant text. Read the W3C recommendations here.

    Read more


    This page defines <h1> and <h2> tags

    We recommend putting page keywords in at least the h1 and h2 tags. Search engines use the h1, h2, and h3 tags for SEO purposes.
    This page contains:

    • 1 <h1> element(s)
    • 8 <h2> element(s)

    Read more


    No frameset, frame and noframes tags detected

    These tags are obsolete, due to several issues related to the navigation consistency, SEO or browsers' bookmark features for example.

    None of these tags is detected on this page.

    The use of the iframe tag is prefered.

    Read more


    This page uses only standard image formats

    The images that use a non-standard format may not be indexed by search engines.

    Only these image formats are considered standard on the web: jpeg, jpg, png, gif, svg, ico, webp. You should consider an alternative to any other format.

    Moreover, remember to treat the text around your images: some search engines analyze approximately the 10 words preceding and following the image in order to add a context to the image.

    Read more