- Getting Started
- Rules categories
- AMP HTML Validator
- Accessibility assessment with aXe
- Avoid HTTP redirects in requests
- Disallow certain HTTP headers
- Disallow non-standard file extension for the web app manifest file
- Disallow protocol-relative URLs
- Disallow small error pages
- Disallow unneeded HTTP headers for non-HTML resources
- HTTP Cache
- Image optimization with Cloudinary
- No vulnerable libraries
- Nu HTML Test
- Performance budget
- Require `Content-Type` HTTP response header with appropriate value
- Require `Strict-Transport-Security` response header
- Require `X-Content-Type-Options` HTTP response header
- Require a web app manifest file
- Require an apple touch icon
- Require charset meta tag with the value of `utf-8`
- Require external links to disown opener
- Require highest available document mode
- Require manifest to specify the web site/app name
- Require resources to be served compressed
- Require scripts and styles to use subresource integrity
- Require viewport meta tag with proper value
- SSL Server Test
- Validate `Set-Cookie` Header
- further configuration
no-protocol-relative-urls warns against using scheme-relative URLs
(commonly known as protocol-relative URLs).
Particularly for web sites/apps served over HTTP, using protocol-relative URLs can have some drawbacks, which among other include:
If the web site/app is served over HTTP, for every protocol-relative URL that does support HTTPS and:
does redirect to it (i.e. most CDNs) the load time will take longer than if the request was made directly to the
https://version of the URL.
does not redirect to it, you may be missing out on things such as Brotli compression and HTTP/2 that are only supported by browsers over HTTPS.
Especially if protocol-relative URLs are used for CDN links, their domain is not in the browser’s HSTS preload list, and the first request is not made over HTTP, there is a high risk of man-in-the-middle attacks.
Of course if the web site/app is served over HTTP it is already exposed to those types of attacks, but in general CDNs constitute a high-value target, and therefore, are much more likely to be attacked than most of the individual sites that use them.
The rule checks for protocol-relative URLs.
Note: Currently the rule does not check for protocol-relative URLs inside of stylesheets and scripts.
example1.com does not support HTTPS and
<link rel="stylesheet" href="//example1.com/style.css">
<link rel="stylesheet" href="http://example1.com/style.css">