Audit Result

UUID: 019f6a2d-fda9-73c8-8599-af57486e7adb

devansgandhi.com

https://devansgandhi.com/

Scanned 1 day ago

85
Excellent Score
39 total checks
Passed
29
Warnings
8
Errors
2

Meta Information

  • Title Tag Warning

    Found 65 characters. Keep title between 30 and 60 characters.

    Fix: Add a unique <title> tag describing the main page intent in 30-60 characters.

  • Found 153 characters. Good snippet length.

  • Canonical found: https://devansgandhi.com

  • Favicon Pass

    Favicon found and reachable: favicons/favicon.ico (HTTP 200).

    Favicon
  • Viewport configured: width=device-width, initial-scale=1

  • HTML Lang Pass

    Language declared as "en".

Content Structure

Technical Optimization

  • HTTPS Pass

    Page is served over HTTPS.

  • 1 HTTPS hardening issues detected.

    • • Could not probe the HTTP version of this page.
    • • Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

    Fix: Set Strict-Transport-Security with a long max-age, add includeSubDomains, and redirect all HTTP requests to HTTPS.

  • Core security headers were detected.

    Full HTTP headers (26)
    • • age: 1
    • • alt-svc: h3=":443"; ma=86400
    • • cache-control: public,max-age=0,must-revalidate
    • • cache-status: "Netlify Edge"; fwd=miss
    • • cf-cache-status: DYNAMIC
    • • cf-ray: a1bfdaaa2be9e54b-IAD
    • • content-encoding: zstd
    • • content-security-policy: default-src 'self'; script-src 'self' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gstatic.com; connect-src 'self'; frame-src https://www.google.com https://recaptcha.google.com; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
    • • content-security-policy-report-only: script-src 'nonce-I+j+2Q5QEg2VXWB8YuNJwYCeBxDVX/ct' 'unsafe-inline' 'self' https: http:; report-uri /.netlify/functions/__csp-violations
    • • content-type: text/html; charset=UTF-8
    • • cross-origin-opener-policy: same-origin
    • • date: Thu, 16 Jul 2026 09:07:03 GMT
    • • nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
    • • permissions-policy: geolocation=(), microphone=(), camera=(), usb=(), payment=(), gyroscope=(), accelerometer=(), interest-cohort=()
    • • referrer-policy: strict-origin-when-cross-origin
    • • report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=EKiCKPdTdSi3h1mOlwQysoAogXz0FMhzNkvNnREj%2F7TeV6CPASDZPsGkns6Uy9GOCB4VmcL5B92%2B9PdG4liGUPWQUxz%2F83SkusSilmXnzNE%2BdsuxUkn6yo%2FaIBNkIQUxgPgvn9QliB9M%2BU21GtwC"}]}
    • • server: cloudflare
    • • server-timing: cfCacheStatus;desc="DYNAMIC" cfEdge;dur=12,cfOrigin;dur=2603
    • • speculation-rules: "/cdn-cgi/speculation"
    • • strict-transport-security: max-age=15552000; includeSubDomains; preload
    • • vary: Accept-Encoding
    • • x-content-type-options: nosniff
    • • x-debug-csp-nonce: invoked
    • • x-frame-options: DENY
    • • x-nf-request-id: 01KXN2VSM597QZ81GB6E78BMC7
    • • x-xss-protection: 0
  • Content Security Policy looks restrictive and avoids common unsafe directives.

    • • Content-Security-Policy: default-src 'self'; script-src 'self' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gstatic.com; connect-src 'self'; frame-src https://www.google.com https://recaptcha.google.com; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
  • No first-party cookies were set during the initial page load.

  • Server response headers do not expose version tokens.

  • Domain appears to be behind Cloudflare.

    • • server: cloudflare
    • • cf-cache-status: DYNAMIC
    • • cf-ray: a1bfdaaa2be9e54b-IAD
  • Loaded in 3.06s (perceived).

    Fix: Reduce payload size, cache static assets, and remove non-critical JS from initial load.

  • 0 scripts and 2 styles may block rendering.

    • • style: https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600;700&family=Inter:wght@400;600;700&display=swap
    • • style: https://devansgandhi.com/styles.css

    Fix: Defer non-critical scripts and inline critical CSS to improve first paint speed.

  • Text-like assets appear compressed.

  • Robots.txt Pass

    Found robots.txt (200).

  • Found sitemap (200) at https://devansgandhi.com/sitemap.xml.

  • Robots meta found: index, follow

Accessibility Basics

  • All 10 controls are labeled.

  • Landmarks Pass

    Header, nav, main, and footer landmarks are present.

  • Tap Target Size Warning

    13 interactive elements appear smaller than 48px.

    • • a.skip-link (Skip to content) - 1x1px
    • • a.brand (Home) - 171x28px
    • • button.nav-dropdown-btn (Services) - 133x34px
    • • button#theme-toggle.btn.btn--ghost (Toggle theme) - 44x36px
    • • a.btn.btn--primary (Get a Free 30-Min Consultation) - 278x48px
    • • a.btn.btn--secondary (View Services) - 168x48px
    • • a.btn.btn--primary (Request a Pentest Quote) - 228x48px
    • • a.btn.btn--secondary (Book a Free Consultation) - 224x48px
    • • button.btn.btn--primary (Calculate Estimate →) - 484x35px
    • • button.btn.btn--primary (Estimate Breach Cost →) - 484x35px
    • • a.btn.btn--secondary (Full Profile & Experience →) - 235x48px
    • • a.btn.btn--primary (Get a Free Consultation) - 217x48px
    • • a.btn.btn--ghost (Email Directly) - 138x48px

    Fix: Increase target size to at least 48x48 CSS pixels for touch interactions.

Social & Rich Results

  • Core Open Graph tags are present.

  • og:image is present and absolute.

    Open Graph Image
  • twitter:card set to summary_large_image.

  • JSON-LD schema detected.

  • Manifest and Apple touch icon are configured.

  • 2 social preview quality issues detected.

    • • ISSUE: og:title should typically be between 10 and 70 characters.
    • • ISSUE: og:description should typically be between 50 and 200 characters.
    • • GUIDELINE: Optimal og:title length: 40-60 characters (acceptable: 10-70).
    • • GUIDELINE: Optimal og:description length: 110-160 characters (acceptable: 50-200).
    • • GUIDELINE: Optimal preview image size: 1200x630 pixels.
    • • GUIDELINE: Optimal preview image aspect ratio: 1.91:1.
    • • GUIDELINE: Optimal preview image file size: under 5 MB.
    • • GUIDELINE: Recommended twitter:card: summary_large_image.
    • • MEASURED: Image size: 0.03 MB
    • • MEASURED: Image dimensions: 1200x630

    Fix: Use absolute OG/Twitter URLs, keep metadata lengths in recommended ranges, and provide a preview image near 1200x630 under 5MB.

Links Analysis

  • Checked 13 links. No broken internal links found.

  • External Links Warning

    2 external links returned errors or timed out.

    • • https://linkedin.com/in/gandhidevansh (HTTP 999)
    • • https://tryhackme.com/p/hackerdevil (HTTP 429)

    Fix: Replace dead external URLs or point to working alternatives.

  • All 31 links use non-empty href values.

Performance & Runtime

  • Largest Contentful Paint: 3.06s.

    Fix: Improve LCP by optimizing above-the-fold media, reducing server latency, and inlining critical CSS.

  • Cumulative Layout Shift: 0.061.

  • Total Blocking Time estimate: 28ms.

  • 1 asset requests failed.

    • • https://static.cloudflareinsights.com/beacon.min.js/v4513226cdae34746b4dedf0b4dfa099e1781791509496 (csp)

    Fix: Fix missing files, update asset URLs, and ensure static assets return HTTP 200.

  • 3 JavaScript runtime issues detected.

    • • Request failed: https://static.cloudflareinsights.com/beacon.min.js/v4513226cdae34746b4dedf0b4dfa099e1781791509496 (csp, type: script)
    • • Loading the script 'https://static.cloudflareinsights.com/beacon.min.js/v4513226cdae34746b4dedf0b4dfa099e1781791509496' violates the following Content Security Policy directive: "script-src 'self' https://www.google.com https://www.gstatic.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The action has been blocked. [https://devansgandhi.com/:1]
    • • Executing inline script violates the following Content Security Policy directive 'script-src 'self' https://www.google.com https://www.gstatic.com'. Either the 'unsafe-inline' keyword, a hash ('sha256-E/zdOsSFZxspFIdo1nmNd7iRowTQTOlDIOgzSajbFhY='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked. [https://devansgandhi.com/:802]

    Fix: Fix JS files returning 404/failed requests and resolve the listed runtime exceptions.