- Response Codes
- Internal No Response
- Internal Client Error (4XX)
- Internal Server Error (5XX)
- Internal Redirect Loop
- Internal Blocked by Robots.txt
- Internal Blocked Resource
- Internal Redirect Chain
- External Blocked Resource
- Internal Redirection (3XX)
- Internal Redirection (Meta Refresh)
- Internal Redirection (JavaScript)
- External No Response
- External Client Error (4XX)
- External Server Error (5XX)
- Security
- HTTP URLs
- Mixed Content
- Form URL Insecure
- Form On HTTP URL
- Missing HSTS Header
- Unsafe Cross Origin Links
- Protocol-Relative Resource Links
- Missing Content-Security-Policy Header
- Missing X-Content-Type-Options Header
- Missing X-Frames-Options Header
- Missing Secure Referrer-Policy Header
- Bad Content Type
- Hreflang
- Non-200 Hreflang URLs
- Missing Return Links
- Inconsistent Language & Region Confirmation Links
- Non-Canonical Return Links
- Noindex Returns Links
- Incorrect Language & Region Codes
- Multiple Entries
- Not Using Canonical
- Outside <head>
- Unlinked Hreflang URLs
- Missing Self Reference
- Missing X-Default
- JavaScript
- Noindex Only in Original HTML
- Nofollow Only in Original HTML
- Canonical Mismatch
- Uses Old AJAX Crawling Scheme URLs
- Uses Old AJAX Crawling Scheme Meta Fragment Tag
- Pages with Blocked Resources
- Contains JavaScript Links
- Contains JavaScript Content
- Page Title Only in Rendered HTML
- Page Title Updated by JavaScript
- Meta Description Only in Rendered HTML
- Meta Description Updated by JavaScript
- H1 Only in Rendered HTML
- H1 Updated by JavaScript
- Canonical Only in Rendered HTML
- Pages With JavaScript Errors
- Links
- Outlinks To Localhost
- Pages Without Internal Outlinks
- Non-Indexable Page Inlinks Only
- Internal Nofollow Outlinks
- Pages With High External Outlinks
- Pages With High Internal Outlinks
- Follow & Nofollow Internal Inlinks To Page
- Internal Nofollow Inlinks Only
- Pages With High Crawl Depth
- Internal Outlinks With No Anchor Text
- Non-Descriptive Anchor Text In Internal Outlinks
- AMP
- Non-200 Response
- Missing Non-AMP Return Link
- Missing Canonical to Non-AMP
- Non-Indexable Canonical
- Missing <html amp> Tag
- Missing/Invalid Doctype HTML Tag
- Missing Head Tag
- Missing Body Tag
- Missing Canonical
- Missing/Invalid Meta Charset Tag
- Missing/Invalid Meta Viewport Tag
- Missing/Invalid AMP Script
- Missing/Invalid AMP Boilerplate
- Contains Disallowed HTML
- Other Validation Errors
- Indexable
- PageSpeed
- Eliminate Render-Blocking Resources
- Properly Size Images
- Defer Offscreen Images
- Minify CSS
- Minify JavaScript
- Reduce Unused CSS
- Reduce Unused JavaScript
- Efficiently Encode Images
- Serve Images in Next-Gen Formats
- Enable Text Compression
- Preconnect to Required Origin
- Reduce Server Response Times (TTFB)
- Preload Key Requests
- Reduce JavaScript Execution Time
- Serve Static Assets With An Efficient Cache Policy
- Minimize Main-Thread Work
- Image Elements Do Not Have Explicit Width & Height
- Avoid Large Layout Shifts
- Avoid Serving Legacy JavaScript to Modern Browsers
- Avoid Multiple Page Redirects
- Use Video Format for Animated Images
- Avoid Excessive DOM Size
- Ensure Text Remains Visible During Webfont Load
- Accessibility
- Best Practice – Accesskey Attribute Value Must Be Unique
- Best Practice – Elements Must Not Have Tabindex Greater Than Zero
- Best Practice – ARIA Dialog & Alertdialog Require Accessible Name
- Best Practice – ARIA Treeitem Nodes Require Accessible Name
- Best Practice – Role=text Should Have No Focusable Descendants
- Best Practice – Form Elements Should Have Visible Label
- Best Practice – Frames Should Be Tested With axe-core
- Best Practice – Scope Attribute Should Be Used Correctly On Tables
- WCAG 2.0 A – Scrollable Region Requires Keyboard Access
- WCAG 2.0 A – Required ARIA Attributes Must Be Provided
- WCAG 2.0 A – ARIA Attribute Must Be Used As Specified For Role
- WCAG 2.0 A – ARIA Attributes Require Valid Values
- WCAG 2.0 A – ARIA Attributes Require Valid Names
- WCAG 2.0 A – ARIA Commands Require Accessible Name
- WCAG 2.0 A – ARIA Input Fields Require Accessible Name
- WCAG 2.0 A – ARIA Meter Nodes Require Accessible Name
- WCAG 2.0 A – ARIA Progressbar Nodes Require Accessible Name
- WCAG 2.0 A – ARIA Roles Must Be Contained By Required Parent
- WCAG 2.0 A – ARIA Roles Require Valid Values
- WCAG 2.0 A – ARIA Toggle Fields Require Accessible Name
- WCAG 2.0 A – ARIA Tooltip Nodes Require Accessible Name
- WCAG 2.0 A – Certain ARIA Roles Must Contain Specific Children
- WCAG 2.0 A – Aria-braille Require Non-braille Equivalent
- WCAG 2.0 A – Aria-hidden Elements Contains Focusable Elements
- WCAG 2.0 A – Aria-hidden=true Must Not Be Used In <body>
- WCAG 2.0 A – Elements Must Only Use Permitted ARIA Attributes
- WCAG 2.0 A – Elements Must Use Allowed ARIA Attributes
- WCAG 2.0 A – IDs Used In ARIA & Labels Must Be Unique
- WCAG 2.0 A – Page Requires Means To Bypass Repeated Blocks
- WCAG 2.0 A – Form <input> Elements Require Labels
- WCAG 2.0 A – Frames Require Title Attribute
- WCAG 2.0 A – Frames Require Unique Title Attribute
- WCAG 2.0 A – Frames With Focusable Content Must Not Use tabindex=-1
- WCAG 2.0 A – Page Must Contain <title>
- WCAG 2.0 A – HTML Element Lang Attribute Value Must Be Valid
- WCAG 2.0 A – HTML Element Requires Lang Attribute
- WCAG 2.0 A – Image Button Requires Alternate Text
- WCAG 2.0 A – Images Require Alternate Text
- WCAG 2.0 A – <object> Elements Require Alternate Text
- WCAG 2.0 A – Active <area> Elements Require Alternate Text
- WCAG 2.0 A – Elements Marked role=img Require Alternate Text
- WCAG 2.0 A – SVG Images & Graphics Require Accessible Text
- WCAG 2.0 A – <video> Elements Require <track> For Captions
- WCAG 2.0 A – <video> or <audio> Elements Must Not Auto-play
- WCAG 2.0 A – Buttons Require Discernible Text
- WCAG 2.0 A – Input Buttons Require Discernible Text
- WCAG 2.0 A – Links Require Discernible Text
- WCAG 2.0 A – Links Must Be Distinguishable
- WCAG 2.0 A – Select Element Requires Accessible Name
- WCAG 2.0 A – Summary Elements Require Discernible Text
- WCAG 2.0 A – Deprecated <marquee> Element Must Not Be Used
- WCAG 2.0 A – Interactive Controls Must Not Be Nested
- WCAG 2.0 A – List Items Must Be Contained In List Elements
- WCAG 2.0 A – Lists Must Only Contain <li> Content Elements
- WCAG 2.0 A – <dt> & <dd> Elements Must Be Contained by <dl>
- WCAG 2.0 A – <dl> Must Only Have Ordered <dt> & <dd> Groups
- WCAG 2.0 A – <blink> Elements Deprecated & Must Not Be Used
- WCAG 2.0 A – <th> Element Requires Associated Data Cells
- WCAG 2.0 A – Table Header Attr Must Refer To Cell In Same Table
- WCAG 2.0 AA – Meta Viewport Zoom & Scaling Disabled
- WCAG 2.0 AA – Lang Attribute Requires Valid Value
- WCAG 2.0 AA – Text Requires Higher Color Contrast to Background
- WCAG 2.0 AAA – Text Requires Higher Color Contrast Ratio
- WCAG 2.1 AA – Autocomplete Attribute Must Be Used Correctly
- WCAG 2.1 AA – Inline Text Spacing Must Be Adjustable
- WCAG 2.2 AA – Touch Targets Require Sufficient Size & Spacing
- Best Practice – Skip-link Target Should Exist & Be Focusable
- Best Practice – All Page Content Must Be Contained By Landmarks
- Best Practice – Page Requires One Main Landmark
- Best Practice – Page Must Not Have More Than One Banner Landmark
- Best Practice – Banner Landmark Must Not Be In Another Landmark
- Best Practice – Page Must Not Have Multiple Contentinfo Landmarks
- Best Practice – Page Requires At Most One Main Landmark
- Best Practice – Complementary Landmarks & Asides Must Be Top Level
- Best Practice – Contentinfo Landmark Must Be Top Level Landmark
- Best Practice – Main Landmark Must Not Be In Another Landmark
- Best Practice – Landmarks Require Unique Role Or Accessible Name
- Best Practice – Page Must Contain <h1>
- Best Practice – Heading Levels Should Only Increase By One
- WCAG 2.0 A – Form Field Must Not Have Multiple Label Elements
- WCAG 2.0 A – HTML Lang & XML Lang Value Should Match
- Best Practice – Ensure Elements Marked Presentational Are Ignored
- Best Practice – ARIA Role Should Be Appropriate For Element
- Best Practice – Headings Should Not Be Empty
- Best Practice – Meta Viewport Should Allow Zoom & Scale Up to 500%
- Best Practice – Alt Text Should Not Be Repeated As Text
- Best Practice – Table Headers Require Discernible Text
- Best Practice – Table With Identical Summary & Caption Text
- WCAG 2.0 A – Deprecated ARIA Roles Must Not Be Used
- WCAG 2.0 A – Server-Side Image Maps Must Not Be Used
- WCAG 2.0 AAA – Delayed Meta Refresh Must Not Be Used
- WCAG 2.0 AAA – Links With Same Accessible Name
Missing HSTS Header
URLs that are missing the HSTS response header. The HTTP Strict-Transport-Security response header (HSTS) instructs browsers that it should only be accessed using HTTPS, rather than HTTP.
If a website accepts a connection to HTTP, before being redirected to HTTPS, visitors will initially still communicate over HTTP.
The HSTS header instructs the browser to never load over HTTP and to automatically convert all requests to HTTPS.
How to Analyse in the SEO Spider
Use the ‘Security’ tab and ‘Missing HSTS Header’ filter to view these URLs and export all URLs using the ‘Export’ button.
What Triggers This Issue
This issue is triggered when a URL is missing the HSTS response header.
For example:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
How To Fix
The HSTS header should be used across all pages to instruct the browser that it should always request pages via HTTPS, rather than HTTP.
Further Reading
- An SEOs Guide To Crawling HSTS - From Screaming Frog
- HTTP Strict Transport Security (HSTS) - From Web.dev