Skip to content
Start free scan
Public reportCertified until 8 July 2027

duurzaamgefinancierd.nl

Visit duurzaamgefinancierd.nl ↗

Speed
99
Security
84
Mobile
100
Accessibility
100
Average score
96/ 100
Better than 77% of the 13 scanned sites
✓ WebYes certified

Certified on 9 July 2026 · 8 pages checked · 3 improvements found

Full audit

Part of the WebYes certification: beyond the four pillars we also audit SEO, structured data, content, links, privacy and AI findability. These extra categories do not count towards the certification score.

Legal
93
Technical
98
AI findability (GEO)
99
Quality impression
99
On-page SEO
100
Links
100
Structured data
100
Content
100
URL structure
100
Social
100
Spam signals
100
Privacy
100

Findings (8)

  • WarningSecurity

    No Content-Security-Policy header — XSS / clickjacking surface is wide open.

    Start with a strict-dynamic CSP using nonces: `Content-Security-Policy: script-src 'nonce-<...>' 'strict-dynamic'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'`. Roll out in `Content-Security-Policy-Report-Only` first to catch violations.

    How to fix it

    Add a Content-Security-Policy header that defines which sources may load scripts and styles. Start with a report-only policy if needed and tighten it from there.

    Read more in the knowledge base: Security headers →

  • WarningAI findability (GEO)

    robots.txt blocks 5 AI crawlers: GPTBot, ClaudeBot, Google-Extended, CCBot, Applebot-Extended.

    If you want ChatGPT / Claude / Perplexity citations, allow those bots: add `User-agent: GPTBot\nAllow: /` etc. to robots.txt. Note that Google's AI Overviews / AI Mode are unaffected — they use Googlebot and snippet eligibility, not these bots. Google-Extended is different: it only controls Gemini model training/grounding — blocking it does NOT remove you from AI Overviews (those are Search features served via Googlebot), so keeping that block is a legitimate policy choice. (If a block is intentional, suppress this rule.)

  • InfoSpeed

    2 image(s) ≥800px wide without srcset or <picture> for responsive delivery.

    Use `srcset` with multiple resolutions or wrap images in `<picture>` with WebP/AVIF sources. In Next.js, use `next/image` which handles this automatically. Without responsive images, mobile users download desktop-sized assets.

    How to fix it

    Serve images in a modern format (WebP or AVIF), scaled to the size at which they are displayed. An image service or build step (such as next/image) handles this automatically.

    Read more in the knowledge base: Core Web Vitals →

  • InfoSecurity

    Missing `Cross-Origin-Embedder-Policy`. Cross-origin isolation lets you use SharedArrayBuffer and high-resolution timers safely.

    Send `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp`. Note this requires every embedded resource to send `Cross-Origin-Resource-Policy`.

    How to fix it

    Add Cross-Origin-Opener-Policy: same-origin (and where possible Cross-Origin-Embedder-Policy). This isolates your site from windows opened by other origins.

    Read more in the knowledge base: Security headers →

  • InfoTechnical

    Crawl stopped at the max-pages limit (6); 13 sitemap URLs were not visited but might still be reachable.

    Re-run with `--max-pages 2000` (or higher) before trusting orphan-from-sitemap counts.

  • InfoTechnical

    No HTML sitemap link found on the homepage. Placing one in the footer is an industry best practice for UX and crawler/AI discovery.

    Add a link to a user-facing HTML sitemap (e.g. `/sitemap`, not `sitemap.xml`) inside the <footer>. An HTML sitemap acts as a structural overview for lost visitors and as a fallback discovery surface for search engines and AI crawlers.

  • InfoLegal

    Site sets cookies on 8 page(s) but no cookie consent mechanism was detected.

    Implement a CMP (Cookiebot, OneTrust, Usercentrics, Complianz) or build a consent banner. GDPR and ePrivacy require prior consent for non-essential cookies in the EU.

  • InfoQuality impression

    Homepage has no `<link rel="icon">` — browsers will request /favicon.ico which may 404.

    Add a custom favicon that reflects your brand. A missing favicon causes extra 404 log noise and looks unprofessional in browser tabs and bookmarks.

Full audit performed on 9 July 2026.

More from the register

Other websites holding an active WebYes certification. Every report is public and audited on the same four pillars.

e-bids.nl✓ Certified

Score 96 / 100 · view the report →

solarfast.nl✓ Certified

Score 94 / 100 · view the report →

webyes.nl✓ Certified

Score 94 / 100 · view the report →

kemptegelwerk.nl✓ Certified

Score 100 / 100 · view the report →

Scan your own websiteView the certification register →Share your score:LinkedInX
webyes

Het onafhankelijke keurmerk voor Nederlandse websites. Kalm, transparant, jaarlijks herkeurd.

Start gratis scan

Keurmerk

  • Start gratis scan
  • Hoe het werkt
  • Keurmerkregister
  • Prijzen
  • Veelgestelde vragen

Kennis

  • Kennisbank
  • Blog
  • Jaarrapport

Bedrijf

  • Over ons
  • Contact
  • Mijn account

Juridisch

  • Privacybeleid
  • Algemene voorwaarden
  • Cookies
© 2026 WebYesGebouwd in Nederland.

Jaarrapport in de maak. In de maak: het jaarrapport over de staat van het Nederlandse web. Lees meer →

webyes
WerkwijzePrijzenRegisterKennisbankOver ons
InloggenStart gratis scan