Audit Result

UUID: 019f5c1b-9f80-707b-8f50-0d00741917f4

www.yape.com.pe

https://www.yape.com.pe/

Scanned 4 days ago

82
Fair Score
39 total checks
Passed
26
Warnings
12
Errors
1

Meta Information

  • Title Tag Warning

    Found 75 characters. Keep title between 30 and 60 characters.

    Fix: Add a unique <title> tag describing the main page intent in 30-60 characters.

  • Found 160 characters. Good snippet length.

  • Canonical found: https://www.yape.com.pe

  • Favicon Warning

    No favicon link found in <head>.

    Fix: Add <link rel="icon" href="/favicon.ico"> to ensure browser tab and bookmark visibility.

  • Viewport configured: width=device-width, initial-scale=1, maximum-scale=5

  • HTML Lang Pass

    Language declared as "es-PE".

Content Structure

Technical Optimization

  • HTTPS Pass

    Page is served over HTTPS.

  • 1 HTTPS hardening issues detected.

    • • Could not probe the HTTP version of this page.
    • • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

    Fix: Set Strict-Transport-Security with a long max-age, add includeSubDomains, and redirect all HTTP requests to HTTPS.

  • Core security headers were detected.

    Full HTTP headers (27)
    • • access-control-allow-credentials: true
    • • access-control-allow-headers: Authorization,Content-Type,Bypass-Cache,Gql-Operation,Cache-Control,X-Correlation-Id,X-Request-Id,X-Dtc,X-Requested-With,Request-Id,Request-Date
    • • access-control-allow-methods: GET,HEAD,POST,PATCH,OPTIONS,PUT,DELETE
    • • access-control-max-age: 900
    • • cache-control: private, no-cache, no-store, max-age=0, must-revalidate
    • • content-encoding: gzip
    • • content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.googleanalytics.com *.google.com; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com https://www.googletagmanager.com https://www.google-analytics.com https://fonts.googleapis.com; img-src 'self' blob: data: *.datocms-assets.com *.cookiebot.com *.zdassets.com *.zendesk.com http://www.googletagmanager.com https://www.google-analytics.com *.google.com *.google.com.pe *.google.com.bo *.google.com.br *.google.com.ar *.google.com.co *.google.com.mx *.google.com.cl https://fonts.gstatic.com *.ytimg.com https://am1.indigitall-cdn.com *.facebook.com *.linkedin.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://*.qualtrics.com; script-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.youtube.com *.youtube.com *.hotjar.com *.hotjar.io *.doubleclick.net https://connect.facebook.net https://analytics.tiktok.com https://www.googleadservices.com https://snap.licdn.com https://sage-crumble-d13d8c.netlify.app https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com; font-src 'self' data:; object-src 'none'; connect-src 'self' *.cookiebot.com *.zdassets.com *.zendesk.com wss://*.zendesk.com https://*.indigitall.com https://www.google.com https://www.google-analytics.com *.doubleclick.net https://analytics.google.com https://featureassets.org https://prodregistryv2.org *.hotjar.io *.googlesyndication.com *.google.com wss://*.hotjar.com *.hotjar.com *.datocms-assets.com *.tiktok.com *.google.com.pe *.google.com.bo *.facebook.com *.tiktokw.us *.linkedin.com *.staticmon.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com *.blob.core.windows.net; base-uri 'self'; form-action 'self' *.facebook.com *.qualtrics.com *.blob.core.windows.net; frame-src 'self' js2ios: * *.cookiebot.com https://yapepro.b2clogin.com; frame-ancestors 'self' *.doubleclick.net *.yape.tech *.yapetienda.com.pe *.yape.com.pe; block-all-mixed-content; upgrade-insecure-requests; worker-src 'self' blob: data:; child-src 'self' blob:;
    • • content-type: text/html; charset=utf-8
    • • cross-origin-opener-policy: noopener-allow-popups
    • • date: Mon, 13 Jul 2026 15:32:18 GMT
    • • expect-ct: enforce, max-age=30
    • • feature-policy: geolocation "self"; camera "self"; microphone "self"; fullscreen "self"; autoplay "self"
    • • link: </_next/static/media/0fe9c6e1f16f3456-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff", </_next/static/media/1e41be92c43b3255-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/6d13fe47ea9baeea-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff", </_next/static/media/b28498b52dcbe042-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff", </_next/static/media/e479ac80244556b5-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff"
    • • permissions-policy: geolocation=(), camera=(), microphone=(), encrypted-media=(), autoplay=(), fullscreen=() geolocation=(), camera=(), microphone=(), encrypted-media=(), autoplay=(), fullscreen=()
    • • referrer-policy: strict-origin-when-cross-origin
    • • server-timing: dtTrId;desc="2e5f1413d7e33a7d4ff60d5e9f18fedd", dtSInfo;desc="0" dtRpid;desc="-545246549"
    • • strict-transport-security: max-age=31536000; includeSubDomains; preload
    • • vary: Accept-Encoding
    • • x-age-i: Mon, 13 Jul 2026 15:32:18 GMT
    • • x-cache-i: MISS
    • • x-cdn: Imperva
    • • x-content-type-options: nosniff
    • • x-frame-options: SAMEORIGIN
    • • x-iinfo: 6-11895194-11895198 NNNN CT(7 12 0) RT(1783956738346 13) q(0 0 0 1) r(0 1) U2
    • • x-oneagent-js-injection: true
    • • x-permitted-cross-domain-policies: none
    • • x-ruxit-js-agent: true
  • CSP Quality Error

    1 CSP hardening issues detected.

    • • script-src/default-src permits 'unsafe-inline'.
    • • Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.googleanalytics.com *.google.com; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com https://www.googletagmanager.com https://www.google-analytics.com https://fonts.googleapis.com; img-src 'self' blob: data: *.datocms-assets.com *.cookiebot.com *.zdassets.com *.zendesk.com http://www.googletagmanager.com https://www.google-analytics.com *.google.com *.google.com.pe *.google.com.bo *.google.com.br *.google.com.ar *.google.com.co *.google.com.mx *.google.com.cl https://fonts.gstatic.com *.ytimg.com https://am1.indigitall-cdn.com *.facebook.com *.linkedin.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://*.qualtrics.com; script-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.youtube.com *.youtube.com *.hotjar.com *.hotjar.io *.doubleclick.net https://connect.facebook.net https://analytics.tiktok.com https://www.googleadservices.com https://snap.licdn.com https://sage-crumble-d13d8c.netlify.app https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com; font-src 'self' data:; object-src 'none'; connect-src 'self' *.cookiebot.com *.zdassets.com *.zendesk.com wss://*.zendesk.com https://*.indigitall.com https://www.google.com https://www.google-analytics.com *.doubleclick.net https://analytics.google.com https://featureassets.org https://prodregistryv2.org *.hotjar.io *.googlesyndication.com *.google.com wss://*.hotjar.com *.hotjar.com *.datocms-assets.com *.tiktok.com *.google.com.pe *.google.com.bo *.facebook.com *.tiktokw.us *.linkedin.com *.staticmon.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com *.blob.core.windows.net; base-uri 'self'; form-action 'self' *.facebook.com *.qualtrics.com *.blob.core.windows.net; frame-src 'self' js2ios: * *.cookiebot.com https://yapepro.b2clogin.com; frame-ancestors 'self' *.doubleclick.net *.yape.tech *.yapetienda.com.pe *.yape.com.pe; block-all-mixed-content; upgrade-insecure-requests; worker-src 'self' blob: data:; child-src 'self' blob:;

    Fix: Tighten Content-Security-Policy by removing unsafe directives and adding object-src, base-uri, and frame-ancestors restrictions.

  • No first-party cookies were set during the initial page load.

  • Server response headers do not expose version tokens.

  • Domain does not appear to be behind Cloudflare.

  • Loaded in 0.44s (perceived).

  • 2 scripts and 4 styles may block rendering.

    • • script: https://www.yape.com.pe/ruxitagentjs_ICA7NVfqrux_10341260622154106.js
    • • script: https://www.yape.com.pe/_next/static/chunks/polyfills-42372ed130431b0a.js
    • • style: https://www.yape.com.pe/_next/static/css/efa5fd7724a83ceb.css
    • • style: https://www.yape.com.pe/_next/static/css/ab1226b8b6b31d06.css
    • • style: https://www.yape.com.pe/_next/static/css/97924461c38f61c9.css
    • • style: https://www.yape.com.pe/_next/static/css/37c2ec5c4cb26b79.css

    Fix: Defer non-critical scripts and inline critical CSS to improve first paint speed.

  • Compression Warning

    3 text resources look uncompressed.

    • • https://www.yape.com.pe/_Incapsula_Resource?SWKMTFSR=1&e=0.45713393023220317 (text/plain)
    • • https://consentcdn.cookiebot.com/consentconfig/12ef5598-64c5-4135-926f-31939c321206/settings.json (application/json)
    • • https://bcpr42sh.staticmon.com/tun/bcpr42sh/input/ (application/json)

    Fix: Enable Brotli or Gzip compression for HTML, CSS, JS, and JSON responses.

  • Robots.txt Pass

    Found robots.txt (200).

  • Found sitemap (200) at https://www.yape.com.pe/sitemap.xml.

  • No robots meta tag defined.

    Fix: Add <meta name="robots" content="index,follow"> (or the intended directive) in <head>.

Accessibility Basics

  • All 4 controls are labeled.

  • Landmarks Pass

    Header, nav, main, and footer landmarks are present.

  • Tap Target Size Warning

    16 interactive elements appear smaller than 48px.

    • • button#CybotCookiebotDialogBodyLevelButtonLevelOptinAllowAll.yape-cb-button.yape-cb-button-accept (Aceptar todo) - 210x44px
    • • button.yape-cb-button.yape-cb-button-configuration (Configuración) - 210x44px
    • • button.antialiased.min-w-fit - 46x44px
    • • button.antialiased.min-w-fit (Bloquea tu cuenta) - 186x44px
    • • button.relative.h-6 (Pausar reproducción) - 24x24px
    • • button.hover:bg-primary-500.relative - 40x8px
    • • button.hover:bg-primary-500.relative - 8x8px
    • • button.hover:bg-primary-500.relative - 8x8px
    • • button.hover:bg-primary-500.relative - 8x8px
    • • button.hover:bg-primary-500.relative - 8x8px
    • • button.hover:bg-primary-500.relative - 8x8px
    • • button.z-50.h-11 - 44x44px
    • • button.z-50.h-11 - 44x44px
    • • button.antialiased.min-w-fit (Configurar cookies) - 155x44px
    • • button.antialiased.min-w-fit (Califícanos) - 44x70px
    • • button#QSIFeedbackButton-btn (¿Qué opinas?) - 35x94px

    Fix: Increase target size to at least 48x48 CSS pixels for touch interactions.

Social & Rich Results

  • Core Open Graph tags are present.

  • og:image is present and absolute.

    Open Graph Image
  • twitter:card set to summary_large_image.

  • Structured Data Warning

    No JSON-LD schema scripts found.

    Fix: Add JSON-LD structured data matching your page type (Organization, Article, Product, etc.).

  • PWA Metadata Warning

    Manifest or Apple touch icon is missing.

    Fix: Link your web app manifest and apple-touch-icon for improved install/share experiences.

  • 2 social preview quality issues detected.

    • • ISSUE: og:title should typically be between 10 and 70 characters.
    • • ISSUE: Preview image is below recommended size (1200x630).
    • • GUIDELINE: Optimal og:title length: 40-60 characters (acceptable: 10-70).
    • • GUIDELINE: Optimal og:description length: 110-160 characters (acceptable: 50-200).
    • • GUIDELINE: Optimal preview image size: 1200x630 pixels.
    • • GUIDELINE: Optimal preview image aspect ratio: 1.91:1.
    • • GUIDELINE: Optimal preview image file size: under 5 MB.
    • • GUIDELINE: Recommended twitter:card: summary_large_image.
    • • MEASURED: Image size: 0.01 MB
    • • MEASURED: Image dimensions: 360x200

    Fix: Use absolute OG/Twitter URLs, keep metadata lengths in recommended ranges, and provide a preview image near 1200x630 under 5MB.

Links Analysis

  • Checked 31 links. No broken internal links found.

  • No broken external links found in checked URLs.

  • Link Format Warning

    3 links are empty, invalid, or placeholder-only.

    • • href="#" text="Vende mejor, cobra mejor1 min"
    • • href="#" text="Gestión de tu negocio3 min"
    • • href="#" text="Tu Primer Sueldo - Maneja tu dinero inteligentemente1 min"

    Fix: Replace empty/#/javascript href values with real destinations or use buttons for non-navigation actions.

Performance & Runtime