- Getting Started
- Rules categories
- AMP HTML Validator
- Accessibility assessment with aXe
- Avoid HTTP redirects in requests
- Disallow certain HTTP headers
- Disallow non-standard file extension for the web app manifest file
- Disallow protocol-relative URLs
- Disallow small error pages
- Disallow unneeded HTTP headers for non-HTML resources
- HTTP Cache
- Image optimization with Cloudinary
- No vulnerable libraries
- Nu HTML Test
- Performance budget
- Require `Content-Type` HTTP response header with appropriate value
- Require `Strict-Transport-Security` response header
- Require `X-Content-Type-Options` HTTP response header
- Require a web app manifest file
- Require an apple touch icon
- Require charset meta tag with the value of `utf-8`
- Require external links to disown opener
- Require highest available document mode
- Require manifest to specify the web site/app name
- Require resources to be served compressed
- Require scripts and styles to use subresource integrity
- Require viewport meta tag with proper value
- SSL Server Test
- Validate `Set-Cookie` Header
- further configuration
no-http-redirects checks if there are any HTTP redirects in the page
sonarwhal is analyzing.
The following is a simplify version of what happens when the user requests a URL in a browser:
- DNS Lookup: Translate the domain to an IP. If the browser doesn’t know it, it has to ask a DNS server which in some cases involves multiple queries until the final IP is obtained.
- Open a [TCP connection][wikipedia-tcp-establishement] to the IP address requesting the URL.
- The server responds to that request by sending some content over the TCP connection. If the resource uses SSL, then TLS negotation(s) happen as well.
When a redirect happens,
3. contains the new URL the browser needs to
request, so the whole sequence is repeated. DNS Lookup isn’t cheap,
neither is creating a TCP connection. The
impact of redirects is even more on mobile users, where the network
latency is usually higher.
As a rule of thumb, the more you can avoid redirects the better.
This rule checks:
- If the target URL passed to
sonarwhalhas any redirect. E.g.:
- If any resource in the page has any redirect. E.g.:
and alerts if at least one is found.
- Any URL passed to
sonarwhalthat redirects to another one
- Any page with a resource (script, css, image) behind a redirect
- No redirect for resources nor the target URL.
By default no redirects are allowed but you can change this behavior.
The following rule configuration used in the
file will allow 3 redirects for resources and 1 for the main URL: