- Getting Started
- Rules categories
- AMP HTML Validator
- Accessibility assessment with aXe
- Avoid HTTP redirects in requests
- Disallow certain HTTP headers
- Disallow non-standard file extension for the web app manifest file
- Disallow protocol-relative URLs
- Disallow small error pages
- Disallow unneeded HTTP headers for non-HTML resources
- HTTP Cache
- Image optimization with Cloudinary
- No vulnerable libraries
- Nu HTML Test
- Performance budget
- Require `Content-Type` HTTP response header with appropriate value
- Require `Strict-Transport-Security` response header
- Require `X-Content-Type-Options` HTTP response header
- Require a web app manifest file
- Require an apple touch icon
- Require charset meta tag with the value of `utf-8`
- Require external links to disown opener
- Require highest available document mode
- Require manifest to specify the web site/app name
- Require resources to be served compressed
- Require scripts and styles to use subresource integrity
- Require viewport meta tag with proper value
- SSL Server Test
- Validate `Set-Cookie` Header
- further configuration
meta-charset-utf-8 warns against not declaring the character encoding
The character encoding should be specified for every HTML page, either
by using the charset parameter on the
Content-Type HTTP response
Content-Type: text/html; charset=utf-8) and/or using
the charset meta tag in the file.
Sending just the
Content-Type HTTP header is in general ok, but it’s
usually a good idea to also add the charset meta tag because:
- Server configurations might change (or servers might not send the
charset parameter on the
Content-TypeHTTP response header).
- The page might be saved locally, case in which the HTTP header will not be present when viewing the page.
For the charset meta tag
<meta charset="utf-8"> should be used.
Is backwards compatible and works in all known browsers, so it should always be used over the old
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">.
charsetvalue should be
utf-8not other values such as
utf8for example, is a common mistake, and even though it is valid nowadays as the specifications and browsers now alias
utf-8, that wasn’t the case in the past, so things might break in some older browsers. The same may be true for other agents (non-browsers) that may scan/get the content and may not have the alias.
Must be inside the
<head>element and within the first 1024 bytes of the HTML, as some browsers only look at those bytes before choosing an encoding.
Moreover, it is recommended that the meta tag be the first thing in the
<head>. This ensures it is before any content that could be controlled by an attacker, such as a
<title>element, thus, avoiding potential encoding-related security issues (such as the one in old IE).
The rule checks if
<meta charset="utf-8"> is specified as the first
thing in the
The character encoding is not specified in
The character encoding is specified using the
charset value is not
meta charset is not the first thing in