Audit Result
UUID: 019f5c1b-9f80-707b-8f50-0d00741917f4
https://www.yape.com.pe/
Scanned 4 days ago
Meta Information
-
Title Tag Warning
Found 75 characters. Keep title between 30 and 60 characters.
Fix: Add a unique <title> tag describing the main page intent in 30-60 characters.
-
Meta Description Pass
Found 160 characters. Good snippet length.
-
Canonical URL Pass
Canonical found: https://www.yape.com.pe
-
Favicon Warning
No favicon link found in <head>.
Fix: Add <link rel="icon" href="/favicon.ico"> to ensure browser tab and bookmark visibility.
-
Viewport Meta Pass
Viewport configured: width=device-width, initial-scale=1, maximum-scale=5
-
HTML Lang Pass
Language declared as "es-PE".
Content Structure
-
H1 Tag Pass
Exactly one H1 found: "Descubre Aprende con Yape".
-
Heading Hierarchy Pass
Valid heading flow across 16 headings.
-
Image Alt Text Pass
All 25 images include alt text.
Technical Optimization
-
HTTPS Pass
Page is served over HTTPS.
-
HSTS & HTTPS Redirect Warning
1 HTTPS hardening issues detected.
- • Could not probe the HTTP version of this page.
- • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Fix: Set Strict-Transport-Security with a long max-age, add includeSubDomains, and redirect all HTTP requests to HTTPS.
-
Security Headers Pass
Core security headers were detected.
Full HTTP headers (27)
- • access-control-allow-credentials: true
- • access-control-allow-headers: Authorization,Content-Type,Bypass-Cache,Gql-Operation,Cache-Control,X-Correlation-Id,X-Request-Id,X-Dtc,X-Requested-With,Request-Id,Request-Date
- • access-control-allow-methods: GET,HEAD,POST,PATCH,OPTIONS,PUT,DELETE
- • access-control-max-age: 900
- • cache-control: private, no-cache, no-store, max-age=0, must-revalidate
- • content-encoding: gzip
- • content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.googleanalytics.com *.google.com; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com https://www.googletagmanager.com https://www.google-analytics.com https://fonts.googleapis.com; img-src 'self' blob: data: *.datocms-assets.com *.cookiebot.com *.zdassets.com *.zendesk.com http://www.googletagmanager.com https://www.google-analytics.com *.google.com *.google.com.pe *.google.com.bo *.google.com.br *.google.com.ar *.google.com.co *.google.com.mx *.google.com.cl https://fonts.gstatic.com *.ytimg.com https://am1.indigitall-cdn.com *.facebook.com *.linkedin.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://*.qualtrics.com; script-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.youtube.com *.youtube.com *.hotjar.com *.hotjar.io *.doubleclick.net https://connect.facebook.net https://analytics.tiktok.com https://www.googleadservices.com https://snap.licdn.com https://sage-crumble-d13d8c.netlify.app https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com; font-src 'self' data:; object-src 'none'; connect-src 'self' *.cookiebot.com *.zdassets.com *.zendesk.com wss://*.zendesk.com https://*.indigitall.com https://www.google.com https://www.google-analytics.com *.doubleclick.net https://analytics.google.com https://featureassets.org https://prodregistryv2.org *.hotjar.io *.googlesyndication.com *.google.com wss://*.hotjar.com *.hotjar.com *.datocms-assets.com *.tiktok.com *.google.com.pe *.google.com.bo *.facebook.com *.tiktokw.us *.linkedin.com *.staticmon.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com *.blob.core.windows.net; base-uri 'self'; form-action 'self' *.facebook.com *.qualtrics.com *.blob.core.windows.net; frame-src 'self' js2ios: * *.cookiebot.com https://yapepro.b2clogin.com; frame-ancestors 'self' *.doubleclick.net *.yape.tech *.yapetienda.com.pe *.yape.com.pe; block-all-mixed-content; upgrade-insecure-requests; worker-src 'self' blob: data:; child-src 'self' blob:;
- • content-type: text/html; charset=utf-8
- • cross-origin-opener-policy: noopener-allow-popups
- • date: Mon, 13 Jul 2026 15:32:18 GMT
- • expect-ct: enforce, max-age=30
- • feature-policy: geolocation "self"; camera "self"; microphone "self"; fullscreen "self"; autoplay "self"
- • link: </_next/static/media/0fe9c6e1f16f3456-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff", </_next/static/media/1e41be92c43b3255-s.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/6d13fe47ea9baeea-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff", </_next/static/media/b28498b52dcbe042-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff", </_next/static/media/e479ac80244556b5-s.p.woff>; rel=preload; as="font"; crossorigin=""; type="font/woff"
- • permissions-policy: geolocation=(), camera=(), microphone=(), encrypted-media=(), autoplay=(), fullscreen=() geolocation=(), camera=(), microphone=(), encrypted-media=(), autoplay=(), fullscreen=()
- • referrer-policy: strict-origin-when-cross-origin
- • server-timing: dtTrId;desc="2e5f1413d7e33a7d4ff60d5e9f18fedd", dtSInfo;desc="0" dtRpid;desc="-545246549"
- • strict-transport-security: max-age=31536000; includeSubDomains; preload
- • vary: Accept-Encoding
- • x-age-i: Mon, 13 Jul 2026 15:32:18 GMT
- • x-cache-i: MISS
- • x-cdn: Imperva
- • x-content-type-options: nosniff
- • x-frame-options: SAMEORIGIN
- • x-iinfo: 6-11895194-11895198 NNNN CT(7 12 0) RT(1783956738346 13) q(0 0 0 1) r(0 1) U2
- • x-oneagent-js-injection: true
- • x-permitted-cross-domain-policies: none
- • x-ruxit-js-agent: true
-
CSP Quality Error
1 CSP hardening issues detected.
- • script-src/default-src permits 'unsafe-inline'.
- • Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.googleanalytics.com *.google.com; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com https://www.googletagmanager.com https://www.google-analytics.com https://fonts.googleapis.com; img-src 'self' blob: data: *.datocms-assets.com *.cookiebot.com *.zdassets.com *.zendesk.com http://www.googletagmanager.com https://www.google-analytics.com *.google.com *.google.com.pe *.google.com.bo *.google.com.br *.google.com.ar *.google.com.co *.google.com.mx *.google.com.cl https://fonts.gstatic.com *.ytimg.com https://am1.indigitall-cdn.com *.facebook.com *.linkedin.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://*.qualtrics.com; script-src-elem 'self' 'unsafe-inline' https://*.siteintercept.qualtrics.com *.cookiebot.com *.zdassets.com *.zendesk.com https://www.googletagmanager.com https://www.google-analytics.com https://www.youtube.com *.youtube.com *.hotjar.com *.hotjar.io *.doubleclick.net https://connect.facebook.net https://analytics.tiktok.com https://www.googleadservices.com https://snap.licdn.com https://sage-crumble-d13d8c.netlify.app https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com; font-src 'self' data:; object-src 'none'; connect-src 'self' *.cookiebot.com *.zdassets.com *.zendesk.com wss://*.zendesk.com https://*.indigitall.com https://www.google.com https://www.google-analytics.com *.doubleclick.net https://analytics.google.com https://featureassets.org https://prodregistryv2.org *.hotjar.io *.googlesyndication.com *.google.com wss://*.hotjar.com *.hotjar.com *.datocms-assets.com *.tiktok.com *.google.com.pe *.google.com.bo *.facebook.com *.tiktokw.us *.linkedin.com *.staticmon.com https://zn1qgsg94pepuboam-yape.siteintercept.qualtrics.com https://siteintercept.qualtrics.com *.blob.core.windows.net; base-uri 'self'; form-action 'self' *.facebook.com *.qualtrics.com *.blob.core.windows.net; frame-src 'self' js2ios: * *.cookiebot.com https://yapepro.b2clogin.com; frame-ancestors 'self' *.doubleclick.net *.yape.tech *.yapetienda.com.pe *.yape.com.pe; block-all-mixed-content; upgrade-insecure-requests; worker-src 'self' blob: data:; child-src 'self' blob:;
Fix: Tighten Content-Security-Policy by removing unsafe directives and adding object-src, base-uri, and frame-ancestors restrictions.
-
Cookie Security Pass
No first-party cookies were set during the initial page load.
-
Server response headers do not expose version tokens.
-
Cloudflare Proxy Warning
Domain does not appear to be behind Cloudflare.
-
Perceived Load Time Pass
Loaded in 0.44s (perceived).
-
Render Blocking Resources Warning
2 scripts and 4 styles may block rendering.
- • script: https://www.yape.com.pe/ruxitagentjs_ICA7NVfqrux_10341260622154106.js
- • script: https://www.yape.com.pe/_next/static/chunks/polyfills-42372ed130431b0a.js
- • style: https://www.yape.com.pe/_next/static/css/efa5fd7724a83ceb.css
- • style: https://www.yape.com.pe/_next/static/css/ab1226b8b6b31d06.css
- • style: https://www.yape.com.pe/_next/static/css/97924461c38f61c9.css
- • style: https://www.yape.com.pe/_next/static/css/37c2ec5c4cb26b79.css
Fix: Defer non-critical scripts and inline critical CSS to improve first paint speed.
-
Compression Warning
3 text resources look uncompressed.
- • https://www.yape.com.pe/_Incapsula_Resource?SWKMTFSR=1&e=0.45713393023220317 (text/plain)
- • https://consentcdn.cookiebot.com/consentconfig/12ef5598-64c5-4135-926f-31939c321206/settings.json (application/json)
- • https://bcpr42sh.staticmon.com/tun/bcpr42sh/input/ (application/json)
Fix: Enable Brotli or Gzip compression for HTML, CSS, JS, and JSON responses.
-
Robots.txt Pass
Found robots.txt (200).
-
Sitemap File Pass
Found sitemap (200) at https://www.yape.com.pe/sitemap.xml.
-
Crawl Directives Warning
No robots meta tag defined.
Fix: Add <meta name="robots" content="index,follow"> (or the intended directive) in <head>.
Accessibility Basics
-
Form Labels Pass
All 4 controls are labeled.
-
Landmarks Pass
Header, nav, main, and footer landmarks are present.
-
Tap Target Size Warning
16 interactive elements appear smaller than 48px.
- • button#CybotCookiebotDialogBodyLevelButtonLevelOptinAllowAll.yape-cb-button.yape-cb-button-accept (Aceptar todo) - 210x44px
- • button.yape-cb-button.yape-cb-button-configuration (Configuración) - 210x44px
- • button.antialiased.min-w-fit - 46x44px
- • button.antialiased.min-w-fit (Bloquea tu cuenta) - 186x44px
- • button.relative.h-6 (Pausar reproducción) - 24x24px
- • button.hover:bg-primary-500.relative - 40x8px
- • button.hover:bg-primary-500.relative - 8x8px
- • button.hover:bg-primary-500.relative - 8x8px
- • button.hover:bg-primary-500.relative - 8x8px
- • button.hover:bg-primary-500.relative - 8x8px
- • button.hover:bg-primary-500.relative - 8x8px
- • button.z-50.h-11 - 44x44px
- • button.z-50.h-11 - 44x44px
- • button.antialiased.min-w-fit (Configurar cookies) - 155x44px
- • button.antialiased.min-w-fit (Califícanos) - 44x70px
- • button#QSIFeedbackButton-btn (¿Qué opinas?) - 35x94px
Fix: Increase target size to at least 48x48 CSS pixels for touch interactions.
Social & Rich Results
-
Open Graph Basics Pass
Core Open Graph tags are present.
-
-
Twitter Card Pass
twitter:card set to summary_large_image.
-
Structured Data Warning
No JSON-LD schema scripts found.
Fix: Add JSON-LD structured data matching your page type (Organization, Article, Product, etc.).
-
PWA Metadata Warning
Manifest or Apple touch icon is missing.
Fix: Link your web app manifest and apple-touch-icon for improved install/share experiences.
-
Open Graph/Twitter Quality Warning
2 social preview quality issues detected.
- • ISSUE: og:title should typically be between 10 and 70 characters.
- • ISSUE: Preview image is below recommended size (1200x630).
- • GUIDELINE: Optimal og:title length: 40-60 characters (acceptable: 10-70).
- • GUIDELINE: Optimal og:description length: 110-160 characters (acceptable: 50-200).
- • GUIDELINE: Optimal preview image size: 1200x630 pixels.
- • GUIDELINE: Optimal preview image aspect ratio: 1.91:1.
- • GUIDELINE: Optimal preview image file size: under 5 MB.
- • GUIDELINE: Recommended twitter:card: summary_large_image.
- • MEASURED: Image size: 0.01 MB
- • MEASURED: Image dimensions: 360x200
Fix: Use absolute OG/Twitter URLs, keep metadata lengths in recommended ranges, and provide a preview image near 1200x630 under 5MB.
Links Analysis
-
Internal Links Pass
Checked 31 links. No broken internal links found.
-
External Links Pass
No broken external links found in checked URLs.
-
Link Format Warning
3 links are empty, invalid, or placeholder-only.
- • href="#" text="Vende mejor, cobra mejor1 min"
- • href="#" text="Gestión de tu negocio3 min"
- • href="#" text="Tu Primer Sueldo - Maneja tu dinero inteligentemente1 min"
Fix: Replace empty/#/javascript href values with real destinations or use buttons for non-navigation actions.
Performance & Runtime
-
Core Web Vitals: LCP Pass
Largest Contentful Paint: 0.44s.
-
Core Web Vitals: CLS Pass
Cumulative Layout Shift: 0.002.
-
Total Blocking Time estimate: 156ms.
-
Broken Assets Pass
No failed CSS/JS/image/font/media requests detected.
-
No console/page runtime errors detected during audit.