Skip to content
Start free scan
Public reportCertified until 8 July 2027

mgsoftware.nl

Visit mgsoftware.nl ↗

Speed
87
Security
72
Mobile
100
Accessibility
70
Average score
82/ 100
Better than 38% of the 13 scanned sites
✓ WebYes certified

Certified on 8 July 2026 · 8 pages checked · 7 improvements found

Score over time

Every audit and re-audit counts: this is the average score per scan day.

certification threshold (80)
7 July 20268 July 2026

Full audit

Part of the WebYes certification: beyond the four pillars we also audit SEO, structured data, content, links, privacy and AI findability. These extra categories do not count towards the certification score.

Legal
83
Spam signals
94
Content
99
Technical
99
Quality impression
99
On-page SEO
100
Links
100
Structured data
100
AI findability (GEO)
100
URL structure
100
Social
100
Privacy
100

Findings (13)

  • WarningSpeed

    HTML document is 799 KB (budget: 488.28125 KB).

    Large HTML payloads delay First Contentful Paint on slow connections. Server-render only above-the-fold content and lazy-load the rest, or paginate long listing pages. In Next.js, use streaming with `loading.tsx` to flush the shell early.

    How to fix it

    Your HTML document is considerably larger than needed. The usual culprits are inline CSS or JSON data in the page; move those to separate files or load them only when needed.

    Read more in the knowledge base: Testing website speed →

  • WarningAccessibility

    Page has no skip-navigation link for keyboard users.

    Add a visually hidden link as the first focusable element: <a href="#main-content" class="skip-link">Skip to content</a>.

    How to fix it

    Add a 'skip link' as the first link on the page that jumps to the main content (<a href="#main-content">Skip to content</a>). Keyboard users then do not have to tab through the entire menu.

    Read more in the knowledge base: WCAG guidelines →

  • WarningSecurity

    Weak CSP: no `report-uri` or `report-to`.

    Drop `unsafe-eval`, replace wildcard hosts with explicit origins, and configure a reporting endpoint so you can see violations as you tighten the policy.

    How to fix it

    Your Content-Security-Policy contains broad rules such as 'unsafe-inline' or a wildcard. Replace them with explicit sources and use nonces or hashes for inline scripts.

    Read more in the knowledge base: Security headers →

  • WarningSecurity

    CSP allows `'unsafe-inline'` without a nonce or hash — this effectively disables script-src protection against XSS.

    Generate a per-response nonce in your server-rendered pages and emit `script-src 'nonce-<nonce>' 'strict-dynamic'`. Inline `<script nonce='...'>` tags then load while attacker-injected ones don't.

    How to fix it

    Give inline scripts a nonce or hash in your CSP instead of allowing them via 'unsafe-inline'. Most frameworks (including Next.js) can generate per-request nonces.

    Read more in the knowledge base: Security headers →

  • WarningLegal

    No link to a privacy policy was found on any crawled page.

    Add a privacy policy page and link to it from the footer of every page. Required by GDPR, CCPA, and Google AdSense. Most browsers and AI agents check for this.

  • WarningSpam signals

    Term "2024" appears unusually often (20×, 4% of words).

    Rewrite for natural language — repeated exact-match phrases can trigger spam classifiers.

  • InfoSpeed

    4 image(s) ≥800px wide without srcset or <picture> for responsive delivery.

    Use `srcset` with multiple resolutions or wrap images in `<picture>` with WebP/AVIF sources. In Next.js, use `next/image` which handles this automatically. Without responsive images, mobile users download desktop-sized assets.

    How to fix it

    Serve images in a modern format (WebP or AVIF), scaled to the size at which they are displayed. An image service or build step (such as next/image) handles this automatically.

    Read more in the knowledge base: Core Web Vitals →

  • InfoSecurity

    No `/.well-known/security.txt` published.

    Publish a `security.txt` (RFC 9116) at `/.well-known/security.txt`. Even a one-line `Contact: mailto:[email protected]` plus an `Expires:` date is enough; it gives white-hat researchers somewhere to send reports instead of giving up.

    How to fix it

    Publish a security.txt at /.well-known/security.txt with a contact address for security reports. Researchers then know where to report a vulnerability.

    Read more in the knowledge base: Security headers →

  • InfoSecurity

    Missing `Cross-Origin-Embedder-Policy`. Cross-origin isolation lets you use SharedArrayBuffer and high-resolution timers safely.

    Send `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp`. Note this requires every embedded resource to send `Cross-Origin-Resource-Policy`.

    How to fix it

    Add Cross-Origin-Opener-Policy: same-origin (and where possible Cross-Origin-Embedder-Policy). This isolates your site from windows opened by other origins.

    Read more in the knowledge base: Security headers →

  • InfoOn-page SEO

    Meta description is slightly over the recommended length (165 chars, max 160).

  • InfoContent

    Text-to-HTML ratio is 0.8% (target ≥ 2%).

    Very low ratios usually mean the hydration payload, inline RSC blob or a vendor script is bigger than the rendered prose. Inspect the largest scripts and externalise or split them.

  • InfoTechnical

    No HTML sitemap link found on the homepage. Placing one in the footer is an industry best practice for UX and crawler/AI discovery.

    Add a link to a user-facing HTML sitemap (e.g. `/sitemap`, not `sitemap.xml`) inside the <footer>. An HTML sitemap acts as a structural overview for lost visitors and as a fallback discovery surface for search engines and AI crawlers.

  • InfoQuality impression

    Homepage has no `<link rel="icon">` — browsers will request /favicon.ico which may 404.

    Add a custom favicon that reflects your brand. A missing favicon causes extra 404 log noise and looks unprofessional in browser tabs and bookmarks.

Full audit performed on 8 July 2026.

More from the register

Other websites holding an active WebYes certification. Every report is public and audited on the same four pillars.

domeinflits.nl✓ Certified

Score 90 / 100 · view the report →

solarfast.nl✓ Certified

Score 94 / 100 · view the report →

webyes.nl✓ Certified

Score 94 / 100 · view the report →

duurzaamgefinancierd.nl✓ Certified

Score 96 / 100 · view the report →

Scan your own websiteView the certification register →Share your score:LinkedInX
webyes

Het onafhankelijke keurmerk voor Nederlandse websites. Kalm, transparant, jaarlijks herkeurd.

Start gratis scan

Keurmerk

  • Start gratis scan
  • Hoe het werkt
  • Keurmerkregister
  • Prijzen
  • Veelgestelde vragen

Kennis

  • Kennisbank
  • Blog
  • Jaarrapport

Bedrijf

  • Over ons
  • Contact
  • Mijn account

Juridisch

  • Privacybeleid
  • Algemene voorwaarden
  • Cookies
© 2026 WebYesGebouwd in Nederland.

Jaarrapport in de maak. In de maak: het jaarrapport over de staat van het Nederlandse web. Lees meer →

webyes
WerkwijzePrijzenRegisterKennisbankOver ons
InloggenStart gratis scan