Category
Fix Guides
Step-by-step guides to diagnose and fix real website trust, security, SEO, performance and accessibility issues.
Category
Step-by-step guides to diagnose and fix real website trust, security, SEO, performance and accessibility issues.
security.txt is a standard (RFC 9116) file that tells security researchers how to report vulnerabilities responsibly. Its absence means wel…
TLS 1.0 and 1.1 are deprecated and vulnerable to known attacks. Browsers no longer support them by default, but servers that still accept t…
Brotli compresses text assets smaller than Gzip with no visible change to users. Most CDNs enable it automatically; origin servers may need…
DNSSEC adds cryptographic signatures to DNS responses so resolvers can detect forged or tampered answers. It is an advanced hardening step…
Broken internal links send visitors and search crawlers to dead pages. They usually appear after renaming URLs, deleting content, or typos.…
A DNS resolution issue means the domain name does not map to a reachable IP address — visitors may see errors, and scanners cannot complete…
Duplicate content splits ranking signals across multiple URLs — www vs non-www, HTTP vs HTTPS, trailing slashes, tracking parameters, and p…
Duplicate or missing title tags make pages compete with each other in search and waste your best chance to earn clicks. Each page needs its…
Email authentication is a three-layer stack — SPF authorises senders, DKIM signs messages, DMARC enforces policy and reports abuse. This gu…
Backup files left in public web directories are a goldmine for attackers — full database dumps, WordPress config with passwords, and site a…
phpMyAdmin and similar database admin panels give full control over your database. When publicly accessible without IP restriction, they ar…
Layout shift happens when something loads late and pushes content down — images without dimensions, ads, cookie banners, and web fonts are…
Forms without labels, clear errors, or logical structure block screen reader users and confuse everyone. Accessible forms are better forms…
Keyboard users — including people with motor disabilities and power users — rely on Tab, Enter, Space, and arrow keys. Broken focus order,…
A visible way to contact you is a baseline trust and credibility signal. Its absence looks like a scam or an abandoned site, hurts conversi…
DKIM adds a cryptographic signature to outgoing mail. Receiving servers verify it against a public key in your DNS. Without DKIM, messages…
A missing HSTS header means browsers can still be tricked into connecting to your site over insecure HTTP, even after you have installed HT…
Images without alt text are invisible to screen reader users and weaken SEO for image-heavy pages. Adding concise, accurate descriptions is…
Without a meta description, search engines guess a snippet from page content — often poorly. A written description is your ad in the result…
Without a Referrer-Policy, browsers may send your full URLs — including query strings that can contain sensitive data — to third-party site…
Structured data labels your content in a machine-readable format so search engines and AI can interpret it accurately — enabling rich resul…
Terms & Conditions (also called Terms of Service or Terms of Use) form the contract between you and your visitors or customers. Missing ter…
Without X-Content-Type-Options: nosniff, browsers may guess a file's type and, for example, treat an uploaded image as JavaScript — a route…
Without X-Frame-Options (or a CSP frame-ancestors directive), an attacker can load your site inside an invisible frame on their own page an…
Missing canonicals let search engines guess which URL to index. Incorrect canonicals — pointing at the wrong page, the homepage, or HTTP UR…
Mixed content happens when an HTTPS page loads some resources over insecure HTTP. Browsers warn about or block these, weakening security an…
When directory listing is enabled, visiting a folder URL without an index file shows a browsable list of every file inside — backups, confi…
Low contrast — light grey text on white, or white text on pale buttons — is hard to read for many users and fails WCAG. Fixing it is usuall…
Core Web Vitals are Google's three real-user experience metrics. Failing any one can hurt page experience signals. This guide helps you ide…
INP measures how quickly the page responds to user input throughout the visit. Poor INP feels laggy — buttons slow to react, scrolling stut…
LCP measures when the largest visible content paints. A slow LCP means users wait too long to see what matters. Almost always the fix is fa…
A redirect chain happens when URL A redirects to B, which redirects to C. Each hop wastes crawl budget, slows users, and dilutes SEO signal…
Scripts and styles in the head block rendering until they download and parse. Deferring non-critical assets lets the browser paint sooner —…
TTFB is the delay before the first byte arrives — DNS, connection, TLS, and server work. High TTFB caps how fast everything else can be. Th…
A soft 404 is a page that says "not found" or is effectively empty but returns HTTP 200. Google may index these as thin, useless pages, blo…
Oversized images are the most common performance problem on content sites. Fixing them is usually the fastest path to better LCP and PageSp…
Trust signals are the cues that tell a first-time visitor your site is legitimate and safe. When few are present, the scanner flags "Limite…
CAA (Certification Authority Authorization) records tell certificate authorities which ones may issue TLS certificates for your domain. Add…
A missing Content Security Policy means the browser will run any script that ends up on your page, including injected ones — the core of mo…
A cookie policy explains what cookies your site uses and why; a consent banner collects permission before non-essential cookies load. Missi…
DMARC builds on SPF and DKIM with an enforceable policy and reporting. Without it, receivers have no standard instruction for handling spoo…
The lang attribute tells screen readers which pronunciation rules to use and helps search engines understand your content's language. Missi…
If your site serves content over both HTTP and HTTPS, visitors and search engines can end up on the insecure version. A 301 redirect from H…
Permissions-Policy tells browsers which powerful APIs (camera, microphone, geolocation, payment) your pages and embedded iframes may use. W…
If your site has a contact form, newsletter, analytics or any tracking, you collect personal data and almost certainly need a privacy polic…
SPF tells receiving mail servers which servers are allowed to send email using your domain. Without it, spoofing is easier and legitimate m…
Without a sitemap, search engines rely entirely on following links to discover pages — slow for new sites and easy to miss important URLs.…
robots.txt is the first file many crawlers request. Without it, search engines lack crawl guidance and may not discover your sitemap effici…
Slow websites lose visitors and rank worse. The fix is not one magic setting — it is a short, prioritised checklist. This guide orders the…
An expired certificate triggers a full-page browser warning that blocks most visitors. The fix is to renew and reinstall it, ideally with a…
A publicly reachable .env file exposes database credentials, API keys and application secrets to anyone who guesses the URL. This is a crit…
When the /.git directory is web-accessible, attackers can reconstruct your source code and browse commit history — often finding old API ke…
Without caching, every visit re-downloads everything. Correct Cache-Control headers tell browsers and CDNs how long to reuse files — free s…
Screen readers convert your page structure into speech. Div soup, missing headings, unlabeled controls, and dynamic updates without announc…
Automated scans catch many issues but not everything. A short manual test pass after fixing findings ensures keyboard, screen reader, and c…