88 checks,<br>nothing hidden

Imagine sending a letter to your friend. HTTPS is like sealing it in an envelope with a secret code, so nobody can read it along the way. Without HTTPS, anyone on the network can spy on what visitors do on the site.

The SSL certificate is like the site's ID card. It proves the site is who it claims to be and that communication is encrypted. It has an expiry date, like a passport.

When a visitor types the site address without "https://" at the start, this check verifies the site automatically redirects them to the secure version. It's like a doorman guiding people to the main entrance.

HSTS tells the browser: "This site must ALWAYS be visited over HTTPS, never HTTP". The browser remembers this and blocks any unsecured access attempt, even if someone tries to hijack the connection.

These are hidden instructions in the server response that tell the browser how to protect itself. For example: "don't display this site inside another site's frame" or "don't guess file types". They are the site's security rules.

CSP is like a guest list for your site. It tells the browser: "Only load scripts from these approved sources". This prevents attackers from injecting malicious code into your pages.

Imagine someone creates a fake "order" button on their site, and clicking it triggers a real order on another site where you're logged in. The CSRF token is a secret code in forms that prevents this.

The robots.txt file tells search engines which pages they can visit. This check ensures it doesn't accidentally block the entire site and doesn't reveal sensitive paths to malicious actors.

Admin pages such as "/admin" or "/wp-admin" give full access to site management. This check verifies whether these pages are accessible without authentication.

Files like ".env" or ".git/HEAD" contain very sensitive information: database passwords, secret API keys, source code. This check ensures they are not publicly accessible.

European GDPR law requires sites to ask permission before installing cookies (small tracking files) on visitors' computers. This check detects whether a consent banner is present.

Subdomains are addresses like "mail.yourdomain.com" or "dev.yourdomain.com". This check lists active subdomains that respond, giving a picture of the site's infrastructure.

Some sites display in their code which version of WordPress, PHP or other software they use. It's like publicly announcing which lock you have, so thieves can find the right key.

If an email address is written in plain text in the HTML code, automated bots harvest it and add it to spam lists. This check detects whether emails are exposed this way on the page.

The A record is like the site's postal address. When someone types "yoursite.com" in their browser, the DNS system looks up this record to find the IP address of the server hosting the site.

Your domain name is rented, not bought forever. It must be renewed every year (or every X years depending on the contract). This check shows how much time remains before the address expires.

MX records tell the world's email servers where to send messages addressed to your domain. Without them, emails sent to "contact@yoursite.com" will go nowhere.

SPF is an authorisation list for emails. It says: "Only these servers are allowed to send emails on behalf of yoursite.com". This prevents attackers from sending fraudulent emails pretending to be you.

DKIM adds a digital signature to every email you send, like a wax seal on a letter. Email servers can verify the email really came from you and wasn't tampered with along the way.

DMARC is the conductor of email security. It tells receivers what to do if an email claims to come from your domain but fails SPF or DKIM checks: "reject it" or "quarantine it". It also sends you reports.

BIMI allows your company logo to appear directly in email clients (like Gmail) next to your sender address. It's like having an official badge that makes your emails instantly recognisable.

A DNS zone transfer (AXFR) allows a secondary server to copy all DNS records. If a server accepts this request from anyone (not just authorised servers), it exposes the entire DNS map.

TTL (Time To Live) tells DNS servers how long they should remember your site's address before re-checking it. Like an expiry label: after this time, they must re-verify.

NS servers are the "directories" that answer DNS questions about your domain. Having at least two NS servers ensures that if one goes down, the other takes over.

The CAA record specifies which certificate authorities (like Let's Encrypt) are allowed to issue an SSL certificate for your domain. It's a whitelist for certificate issuers.

"www.yoursite.com" and "yoursite.com" are technically two different addresses. This check ensures both redirect to the same canonical URL, so visitors always end up in the same place.

International organisations maintain blacklists of IP addresses known for sending spam or distributing malware. This check verifies whether your server's IP appears on these lists.

This check resolves the IP address of the server hosting the site. It's basic information useful for diagnosing connection problems or identifying the hosting provider.

DNSSEC adds a digital signature to DNS responses. It's like an official seal guaranteeing the response hasn't been tampered with. Without DNSSEC, an attacker could redirect visitors to a fake site.

Typosquatting involves registering domain names similar to yours with a typo (e.g., "gooogle.com"). This check detects whether similar domains exist and could mislead your visitors.

The PTR record does the reverse DNS lookup: starting from an IP address, it finds the domain name. It's like looking up "who owns this phone number". It's especially important for mail servers.

The title tag is the text appearing in the browser tab and as the first clickable link in Google results. It's the first thing people read to decide whether to click on your site.

The meta description is the 2-3 line text appearing below the title in Google results. It doesn't directly improve rankings, but greatly influences whether people click on your link.

The H1 tag is the main visible title on the page (different from the title in the browser tab). It tells Google and visitors what the page's main topic is. There should be only one per page.

H1, H2, H3… headings structure content like a table of contents. H1 is the main title, H2 are chapters, H3 are sub-sections. Jumping from H1 to H3 without H2 is like skipping chapters in a book.

The XML sitemap is a list of all the site's pages, formatted for search engines. It's like giving Google a detailed floor plan so it can explore everything quickly and easily.

This check ensures the robots.txt file declares the sitemap address. Google and other search engines check robots.txt on their first visit and can then find the sitemap directly.

The canonical tag tells Google: "This page is the official version". If the same page is accessible at multiple URLs (with www, without, with parameters…), the canonical prevents Google from treating them as duplicate content.

Open Graph tags control how the site appears when someone shares it on Facebook, LinkedIn, WhatsApp or X: title, description, preview image. Without them, sharing looks like anything.

Structured data is special code that tells Google the type of content on the page: article, product, recipe, FAQ, business… Google can then display "rich results" with stars, prices or FAQs directly in search results.

The alt attribute is alternative text for images. It's read by screen readers for visually impaired users, and used by Google Images to understand the image subject and index it in results.

If the site is in multiple languages, hreflang tags tell Google which version to show to which country. Without them, Google may show the wrong language to the wrong audience.

Internal links are links pointing from one page of the site to another page on the same site. They help visitors navigate and allow Google to discover and rank all pages.

A broken link (or "dead link") is a link pointing to a page that no longer exists (404 error). This check tests external links on the homepage to detect ones that no longer work.

The "noindex" tag on a page tells Google not to index it, therefore not to display it in search results. This is sometimes intentional (admin pages), but catastrophic if mistakenly applied to important pages.

Google measures site speed on mobile and gives it a score from 0 to 100 (PageSpeed Insights). This score reflects the real user experience: display time, layout stability, responsiveness.

Google Search Console is a free Google tool for monitoring how the site appears in results, submitting sitemaps, seeing which keywords bring traffic, and being alerted to technical issues.

The breadcrumb is the "Home > Category > Article" navigation visible at the top of pages. By structuring it with JSON-LD, Google can display it directly in results, taking up more space and attracting more attention.

In France, all professional sites must have legal notices. Terms and conditions are mandatory for e-commerce. A privacy policy is required by GDPR as soon as the site collects personal data.

This check ensures the sitemap URL declared in robots.txt is accessible and belongs to the correct domain. It's the coherence between two files that must point in the same direction.

This check analyses the sitemap content itself: are all URLs in HTTPS? Do they all point to this domain? Is the homepage included? Are any pages inaccessible?

TTFB (Time To First Byte) measures the time between the browser requesting the page and the first byte of response arriving. It's like measuring how long a server takes to "pick up the phone".

Compression reduces the size of HTML, CSS and JavaScript files before sending them to the browser, like compressing a ZIP file. The browser decompresses it instantly upon receipt.

HTTP cache tells the browser to remember files (CSS, JS, images) so it doesn't re-download them on every visit. It's like remembering the route so you don't have to re-check GPS every trip.

A CDN (Content Delivery Network) is a network of servers distributed worldwide. Instead of serving files from a single server, the CDN serves them from the server closest to the visitor.

Lazy loading means images only download when the visitor is about to see them while scrolling. Images far down the page aren't unnecessarily loaded at the start.

This check measures the weight of the main page's HTML code. The lighter the HTML, the faster the page loads. This doesn't count linked images and CSS, just the HTML document itself.

When a browser loads a page and encounters a script without "async" or "defer", it stops and waits for that file to download before continuing. It's like blocking the entire checkout queue.

When accessing a URL, the server may redirect to another URL. If that new URL in turn redirects to a third, it's a redirect chain that slows down navigation.

Preloading lets you tell the browser early: "You'll need this font or CSS, start downloading it now". Resources are ready well before they're needed.

HTTP/2 is the modern version of the communication protocol between browsers and servers. It allows downloading multiple files simultaneously (multiplexing), whereas HTTP/1.1 could only handle one at a time.

A Service Worker is a script running in the browser's background, allowing a web app to work offline, show push notifications, and behave like a mobile app (PWA).

Minification removes unnecessary spaces, line breaks and comments from HTML, CSS and JavaScript code. The result is identical for the browser but more compact, reducing file size.

When a site loads fonts from Google Fonts, text display may be blocked until the font fully downloads (FOIT). The CSS property "font-display: swap" avoids this by showing a system font first.

WebP and AVIF are new image formats that compress much better than JPEG or PNG: a WebP image weighs 30-50% less for the same visual quality. AVIF is even more efficient but less supported.

Each CSS, JavaScript or image file requires a separate HTTP request to the server. Even with HTTP/2, a very large number of requests slows loading. This check counts referenced resources.

This check ensures the site responds with HTTP code 200, meaning "all good, here's the page". A 500 code means a server error, 503 means the service is unavailable.

The viewport tag in the HTML code tells mobile browsers to adapt the page to screen size. Without it, the site displays as a shrunken desktop version on phones, requiring zooming to read anything.

The lang attribute on the main HTML tag (<html lang="en">) indicates the content language. Browsers and screen readers use it to choose the right pronunciation and adapt the interface.

The favicon is the small icon appearing in the browser tab, in bookmarks, and on mobile home screens when the site is added as a shortcut. It's the site's first visual brand marker.

This check looks for contact information (phone, email, address) on the homepage. It's an important trust signal for visitors wanting to reach the business.

The SIRET is the unique identification number of a business in France (14 digits). It must appear in the legal notices of any business or commercial site. It's like the company's ID card number.

The privacy policy explains to visitors what personal data is collected, why, and how it's used and protected. It's mandatory as soon as a site collects data (even just the IP address).

This check measures whether the page contains HTML content visible without JavaScript. Some sites (React, Vue, Angular apps) generate all content via JavaScript, which can be problematic for Google's crawlers.

Keyboard navigation allows using a site by pressing Tab to move between elements and Enter to click. It's essential for people who cannot use a mouse.

ARIA (Accessible Rich Internet Applications) attributes add information about elements' roles and states for assistive technologies. For example: "this button opens a navigation menu".

Icons (arrows, logos, pictograms) should either be hidden from screen readers (if decorative) with aria-hidden="true", or labelled with aria-label if they carry meaning (e.g., a close button).

Flash was a technology from the 2000s for browser animations. It was discontinued in 2020 and is no longer supported by any modern browser or mobile device. It's a dead technology.

This check looks for recent years in the page content (in text, copyright dates, articles…) to estimate whether the site is regularly updated or appears abandoned.

This check identifies the technology used to build the site (WordPress, Shopify, Next.js, custom code…) by analysing the HTML code, response headers, and cookies.

Some servers display their exact version in HTTP headers (e.g., "Apache/2.4.51" or "PHP/8.1.2"). This check verifies whether the precise server or PHP version is publicly exposed.

When a visitor accesses a non-existent page, the server should return HTTP code 404. Some sites return 200 (success) even for non-existent pages: this is a "soft 404" that confuses Google's crawlers.

When a visitor lands on a non-existent page, a custom 404 page helps them stay on the site (with navigation, suggestions, a link to the homepage). Without it, the visitor sees "404 Not Found" and leaves.

This check tests links pointing to other sites from the homepage, to ensure they still work. Sites change and links can become invalid over time.

Google Safe Browsing is a database of dangerous sites (malware, phishing). This check verifies whether the site is flagged. If so, visitors see a red warning page before accessing it.

Third-party trackers are scripts from Google Analytics, Meta Pixel, LinkedIn Insight, etc. installed on the site to measure visits or target advertising. This check identifies them.

This check detects whether the site contains links to social media profiles (Facebook, LinkedIn, Instagram…). It's useful information for evaluating the company's online presence.

This check detects whether Google Maps is embedded on the site, which is typical of local businesses wanting to show their location to customers. For an online tool, this is generally not applicable.