Website analysis: new checks in our test reports

Update: as announced 2 weeks ago, we have updated  the quality checks on Dareboost on December 12.

Save the date! From December 12, new quality checks will enrich our website analysis tool. This post aims to introduce those new quality tests. This is a major update, with numerous new tests and also improvements for existing ones. Expect your Dareboost score to change on December 12! Let’s discover the changes and hopefully this will be an opportunity for you to fix some issues even before the update.

New tests about SSL certificates

Symantec’s PKI (Public Key Infrastructure) operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL. It has been brought to the community’s attention that the certificates issued by these companies do not meet the industry’s requirements. Symantec will stop to operate as a PKI on December, 1 2017

From April 2018, Chrome will consider as invalid Symantec’s certificates issued before June 1, 2016. Dareboost will warn you and apply a major penalization if you’re still using a Symantec’s certificate one month before this deadline.

Whoever is the issuer of the certificate, Dareboost will also warn you when a certificate is about to expire (in less than 3 weeks for certificate validity duration superior to 3 months). With this safeguard, you won’t risk to forget the renewal.

You may know we’ve been promoting HTTPS usage for a while. With this next update, the penalization for websites still using unsecure HTTP will double.

HTML source code: keep it light!

To display a web page, the HTML source code is the first thing the web browsers download, parse and model. If the amount of code contained in the page is too large, these steps are slowed down and the rendering is delayed.

With our next update, we will start checking the sizes of your HTML page. “Sizes” is plural, as we’ll check both the compressed (eg: gzip) and the uncompressed size.
Having a compressed size superior to 200kB will be considered as a major issue. Same goes for an uncompressed size superior to 1MB.

Unsupported jQuery versions

jQuery 1.X is not supported anymore. For websites using one of these versions, we recommend – at least – to switch to the last one available on the 1.X branch: jQuery 1.12.
Even if it’s not supported either, it fixes many bugs and security issues. Still, the ideal solution would be to switch to the latest major version (or to use another up-to-date framework).

Securing relative links with the base element and base-uri CSP directive

We’ve wrote extensively about Content Security Policy on this blog as a way to protect your visitors from the effect of an XSS attack.
Pages including relative links could be hijacked in such an attack. Dareboost will start advising to use the <base> element for pages using relatives links. That’s only a first step, and an attacker could still change the base value if there is an XSS breach (or add another <base> tag).
To prevent this, you can enforce the <base> href attribute’s value by using the base-uri CSP directive.

Dareboost will make sure for you that you’re using required protections when relatives links are used on your pages.

Keep your pages friendly for text to speech apps

Having a page accessible to all is a matter of common sense. That’s also a legal obligation in more and more countries.

Most text-to-speech software have trouble when trying to vocalize empty HTML elements. We’ll add new quality checks to detect problematic HTML tags.

GIF files, to be used wisely

You may have already seen our recommendation to use PNG ou JPEG formats for non-animated GIF images. We will add a new chek, this time on animated GIF.
MP4 support is now almost universal, so Dareboost will recommend to use the video format rather than GIF, for file sizes over 100KB.

Dozens of improvements for existing quality checks

We have improved and added some details for some best practices (thanks to all the users sending feedback!). We will also adjust the penalty applied for some quality checks, to make the priorities in our report always more relevant.

The perimeter of several best practices will also be expanded: client-side redirects, images lazy-loading, meta viewport usage, flash usage, etc.

We will detect SPOF for the following list of third-party content providers:

• ajax.aspnetcdn.com
• ajax.microsoft.com
• cdn.cleverbot.io
• cdn.gruntjs.com
• cdnjs.cloudflare.com
• fb.me
• jsdelivr.net
• vjs.zencdn.net
• maxcdn.fontfamous.com
• perfbar.khalidlafi.com.global.prod.fastly.net
• twemoji.maxcdn.com

We have also fixed the X-Content-Type-Options check to ignore images, as the spec of the header has evolved. Thanks to @nhoizey and @etportis for pointing that out.

We will extend our recommendation to use a caching system when we’re detecting a very slow server response time (superior to 3 seconds) . This test was previously applied only for WordPress and Prestashop CMSs.

Finally, all checks for accessibility best practices will be based on the DOM rather than the HTML source code, as most of the software and devices now support Javascript.

Update will be live on December 12.

On December 12, we will release the update on dareboost.com and send an email to all our users.

You will probably notice some changes on your scores. But don’t worry, an event will be automatically added on your monitoring history to keep track of the update. Email alerts that would be sent this day (related to a score regression) will also point out the update.