| 1. General Results, most used to calculate the result |
A | name "2602:806:a003:40f::102:28" is ipv6 address, public suffix is not defined
|
A | Good: All ip addresses are public addresses
|
A | Good: one preferred version: non-www is preferred
|
A | Good: No cookie sent via http.
|
A | Good: every https has a Strict Transport Security Header
|
A | Good: HSTS max-age is long enough, 31536000 seconds = 365 days
|
A | Good: All urls with http status 200/404 have a complete Content-Type header (MediaType / MediaSubType + correct charset)
|
C | Error - more then one version with Http-Status 200. After all redirects, all users (and search engines) should see the same https url: Non-www or www, but not both with http status 200.
|
H | Fatal error: http result with http-status 200, no encryption. Add a redirect http ⇒ https, so every connection is secure. Perhaps in your port 80 vHost something like "RewriteEngine on" + "RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]" (two rows, without the "). Don't add this in your port 443 vHost, that would create a loop.
|
N | https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Error - Certificate isn't trusted, RemoteCertificateNameMismatch
|
N | https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Error - Certificate isn't trusted, RemoteCertificateNameMismatch
|
| 2. Header-Checks (Cross-Origin-* headers are alpha - started 2024-06-05) |
| 3. DNS- and NameServer - Checks |
| 4. Content- and Performance-critical Checks |
A | Good: All checks /.well-known/acme-challenge/random-filename without redirects answer with the expected http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 challenge should work. If it doesn't work: Check your vHost configuration (apachectl -S, httpd -S, nginx -T). Every combination of port and ServerName / ServerAlias (Apache) or Server (Nginx) must be unique. Merge duplicated entries in one vHost. If you use an IIS, extensionless files must be allowed in the /.well-known/acme-challenge subdirectory. Create a web.config in that directory. Content: <configuration><system.webServer><staticContent><mimeMap fileExtension="." mimeType="text/plain" /></staticContent></system.webServer></configuration>. If you have a redirect http ⇒ https, that's ok, Letsencrypt follows such redirects to port 80 / 443 (same or other server). There must be a certificate. But the certificate may be expired, self signed or with a not matching domain name. Checking the validation file Letsencrypt ignores such certificate errors. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: https result with status 200 and size greater then 1024 Bytes without Compression found. Add Compression support (gzip, deflate, br - these are checked) so the html content is compressed.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: https result with status 200 and size greater then 1024 Bytes without Compression found. Add Compression support (gzip, deflate, br - these are checked) so the html content is compressed.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: Https + http status 200 + Inline CSS / JavaScript found. Don't use inline CSS / JavaScript. These are compiled and re-used ressources, save these with a long Cache-Control max-age - header.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: Https + http status 200 + Inline CSS / JavaScript found. Don't use inline CSS / JavaScript. These are compiled and re-used ressources, save these with a long Cache-Control max-age - header.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: Https result with status 200 found, Html-Content is too big. Should be max. 110 %. May contain inline CSS / JavaScript, too much comments or white space. Re-used ressources - create files with a long Cache-Control max-age header. Remove comments and white space.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: Https result with status 200 found, Html-Content is too big. Should be max. 110 %. May contain inline CSS / JavaScript, too much comments or white space. Re-used ressources - create files with a long Cache-Control max-age header. Remove comments and white space.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: Https connections (Standard Port 443) found without support of the http/2 protocol via ALPN. Http/2 is the new Http-Version (old: http 1.1) with some important new features. Update your server software so http/2 is available. Only one TCP-connection per Server (that's a performance boost), Header-Compression and Server Pushs are available. Domain Sharding and Inline-CSS/Javascript shouldn't used with http/2.
|
| https://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: Https connections (Standard Port 443) found without support of the http/2 protocol via ALPN. Http/2 is the new Http-Version (old: http 1.1) with some important new features. Update your server software so http/2 is available. Only one TCP-connection per Server (that's a performance boost), Header-Compression and Server Pushs are available. Domain Sharding and Inline-CSS/Javascript shouldn't used with http/2.
|
A | Good: All checked attribute values are enclosed in quotation marks (" or ').
|
A | Info: No img element found, no alt attribute checked
|
| http://[2602:0806:a003:040f:0000:0000:0102:0028]/ 2602:806:a003:40f::102:28
|
| Warning: HSTS header sent via http has no effect
|
A | Duration: 23516 milliseconds, 23.516 seconds
|