domeinflits.nl
Certified on 8 July 2026 · 8 pages checked · 7 improvements found
Full audit
Part of the WebYes certification: beyond the four pillars we also audit SEO, structured data, content, links, privacy and AI findability. These extra categories do not count towards the certification score.
Findings (20)
- ErrorAccessibility
3 <input> element(s) have no associated label, aria-label, or aria-labelledby.
Associate a <label for="inputId"> or add aria-label="..." to every visible form input.
How to fix it
Link every form field to a label via for/id, or use aria-label. A placeholder alone is not enough: it disappears as soon as someone types.
- ErrorSecurity
Cookie `Next-Locale` is set on an HTTPS page without the Secure flag.
Add `Secure` to the Set-Cookie header so the cookie is only ever sent over HTTPS. Pair with `HttpOnly` and `SameSite=Lax` (or `Strict`).
How to fix it
Set the Secure flag on all your cookies so they are only sent over HTTPS. In most frameworks this is a single setting in the cookie or session configuration.
- WarningSpeed
HTML document is 569 KB (budget: 488.28125 KB).
Large HTML payloads delay First Contentful Paint on slow connections. Server-render only above-the-fold content and lazy-load the rest, or paginate long listing pages. In Next.js, use streaming with `loading.tsx` to flush the shell early.
How to fix it
Your HTML document is considerably larger than needed. The usual culprits are inline CSS or JSON data in the page; move those to separate files or load them only when needed.
- WarningSecurity
No Content-Security-Policy header — XSS / clickjacking surface is wide open.
Start with a strict-dynamic CSP using nonces: `Content-Security-Policy: script-src 'nonce-<...>' 'strict-dynamic'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'`. Roll out in `Content-Security-Policy-Report-Only` first to catch violations.
How to fix it
Add a Content-Security-Policy header that defines which sources may load scripts and styles. Start with a report-only policy if needed and tighten it from there.
- WarningOn-page SEO
Title is too long (77 chars, max 60); will be truncated in SERPs.
Trim to ~60 characters and keep the most important keywords on the left.
- WarningAI findability (GEO)
robots.txt blocks 5 AI crawlers: GPTBot, ClaudeBot, Google-Extended, CCBot, Applebot-Extended.
If you want ChatGPT / Claude / Perplexity citations, allow those bots: add `User-agent: GPTBot\nAllow: /` etc. to robots.txt. Note that Google's AI Overviews / AI Mode are unaffected — they use Googlebot and snippet eligibility, not these bots. Google-Extended is different: it only controls Gemini model training/grounding — blocking it does NOT remove you from AI Overviews (those are Search features served via Googlebot), so keeping that block is a legitimate policy choice. (If a block is intentional, suppress this rule.)
- WarningSpam signals
Term "token" appears unusually often (123×, 13% of words).
Rewrite for natural language — repeated exact-match phrases can trigger spam classifiers.
- InfoSpeed
Likely LCP image is missing `fetchpriority="high"`.
Add `fetchpriority="high"` to the hero image (/_next/image?url=%2Fimages%2Fkennisbank%2Fwat-is-een-vervallen-domein.webp&w=1920&q=75) so the browser fetches it ahead of low-priority resources. Saves 100-300ms LCP on typical pages.
How to fix it
Prioritise your largest above-the-fold image with fetchpriority="high" or a preload link. The download then starts immediately instead of after the rest of the page.
- InfoSecurity
No `/.well-known/security.txt` published.
Publish a `security.txt` (RFC 9116) at `/.well-known/security.txt`. Even a one-line `Contact: mailto:[email protected]` plus an `Expires:` date is enough; it gives white-hat researchers somewhere to send reports instead of giving up.
How to fix it
Publish a security.txt at /.well-known/security.txt with a contact address for security reports. Researchers then know where to report a vulnerability.
- InfoSecurity
Missing `Cross-Origin-Embedder-Policy`. Cross-origin isolation lets you use SharedArrayBuffer and high-resolution timers safely.
Send `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp`. Note this requires every embedded resource to send `Cross-Origin-Resource-Policy`.
How to fix it
Add Cross-Origin-Opener-Policy: same-origin (and where possible Cross-Origin-Embedder-Policy). This isolates your site from windows opened by other origins.
- InfoOn-page SEO
Meta description is slightly over the recommended length (165 chars, max 160).
- InfoOn-page SEO
Page declares noindex; it will not be indexed.
Remove noindex if this page should appear in search results.
- InfoLinks
Page is only linked from chrome (7 inbound links, none from main content).
Add contextual links from related parent or sibling pages — header/footer links pass weak relevance signals to Google.
- InfoStructured data
Page has no JSON-LD structured data in the initial HTML.
Server-render JSON-LD in the HTML response. If this is currently injected after hydration (for example with next/script afterInteractive), static crawlers and AI bots may not see it.
- InfoContent
Text-to-HTML ratio is 0.5% (target ≥ 2%).
Very low ratios usually mean the hydration payload, inline RSC blob or a vendor script is bigger than the rendered prose. Inspect the largest scripts and externalise or split them.
- InfoTechnical
Crawl stopped at the max-pages limit (6); 1034 sitemap URLs were not visited but might still be reachable.
Re-run with `--max-pages 2000` (or higher) before trusting orphan-from-sitemap counts.
- InfoTechnical
No HTML sitemap link found on the homepage. Placing one in the footer is an industry best practice for UX and crawler/AI discovery.
Add a link to a user-facing HTML sitemap (e.g. `/sitemap`, not `sitemap.xml`) inside the <footer>. An HTML sitemap acts as a structural overview for lost visitors and as a fallback discovery surface for search engines and AI crawlers.
- InfoLegal
Site sets cookies on 8 page(s) but no cookie consent mechanism was detected.
Implement a CMP (Cookiebot, OneTrust, Usercentrics, Complianz) or build a consent banner. GDPR and ePrivacy require prior consent for non-essential cookies in the EU.
- InfoQuality impression
Homepage has no `<link rel="icon">` — browsers will request /favicon.ico which may 404.
Add a custom favicon that reflects your brand. A missing favicon causes extra 404 log noise and looks unprofessional in browser tabs and bookmarks.
- InfoPrivacy
1 phone-shaped string(s) appear in main content. Examples: 866341225.
If the phone numbers are intentional public contact info, ignore this finding. If they're personal numbers (employees, customer testimonials), redact or replace with a routing alias.
Full audit performed on 8 July 2026.
More from the register
Other websites holding an active WebYes certification. Every report is public and audited on the same four pillars.