solarfast.nl
Certified on 9 July 2026 · 8 pages checked · 6 improvements found
Score over time
Every audit and re-audit counts: this is the average score per scan day.
Full audit
Part of the WebYes certification: beyond the four pillars we also audit SEO, structured data, content, links, privacy and AI findability. These extra categories do not count towards the certification score.
Findings (12)
- WarningSecurity
Sensitive path reachable: /admin/ (HTTP 200, 15930 bytes).
Block the path at the reverse proxy (deny .git/.env/etc.), remove the file from the deploy artifact, and rotate any secrets that may have been exposed.
How to fix it
A sensitive path is publicly reachable (such as a .env file, .git folder or admin panel). Block the path at the server level or take the file offline, and rotate any leaked keys.
- WarningSecurity
CSP allows `'unsafe-inline'` without a nonce or hash — this effectively disables script-src protection against XSS.
Generate a per-response nonce in your server-rendered pages and emit `script-src 'nonce-<nonce>' 'strict-dynamic'`. Inline `<script nonce='...'>` tags then load while attacker-injected ones don't.
How to fix it
Give inline scripts a nonce or hash in your CSP instead of allowing them via 'unsafe-inline'. Most frameworks (including Next.js) can generate per-request nonces.
- WarningSpam signals
Term "thuisbatterij" appears unusually often (9×, 7% of words).
Rewrite for natural language — repeated exact-match phrases can trigger spam classifiers.
- InfoSpeed
1 image(s) ≥800px wide without srcset or <picture> for responsive delivery.
Use `srcset` with multiple resolutions or wrap images in `<picture>` with WebP/AVIF sources. In Next.js, use `next/image` which handles this automatically. Without responsive images, mobile users download desktop-sized assets.
How to fix it
Serve images in a modern format (WebP or AVIF), scaled to the size at which they are displayed. An image service or build step (such as next/image) handles this automatically.
- InfoSecurity
No `/.well-known/security.txt` published.
Publish a `security.txt` (RFC 9116) at `/.well-known/security.txt`. Even a one-line `Contact: mailto:[email protected]` plus an `Expires:` date is enough; it gives white-hat researchers somewhere to send reports instead of giving up.
How to fix it
Publish a security.txt at /.well-known/security.txt with a contact address for security reports. Researchers then know where to report a vulnerability.
- InfoSecurity
Missing `Cross-Origin-Embedder-Policy`. Cross-origin isolation lets you use SharedArrayBuffer and high-resolution timers safely.
Send `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp`. Note this requires every embedded resource to send `Cross-Origin-Resource-Policy`.
How to fix it
Add Cross-Origin-Opener-Policy: same-origin (and where possible Cross-Origin-Embedder-Policy). This isolates your site from windows opened by other origins.
- InfoSecurity
No `Cross-Origin-Resource-Policy` header. Without it, side-channel attacks via Spectre-style speculative execution stay viable.
Send `Cross-Origin-Resource-Policy: same-origin` for HTML responses, and `cross-origin` for assets you intentionally publish (e.g. fonts, JS bundles).
How to fix it
Add Cross-Origin-Resource-Policy: same-origin (or same-site) to your responses so other sites cannot freely embed your files.
- InfoContent
Text-to-HTML ratio is 1.0% (target ≥ 2%).
Very low ratios usually mean the hydration payload, inline RSC blob or a vendor script is bigger than the rendered prose. Inspect the largest scripts and externalise or split them.
- InfoTechnical
Crawl stopped at the max-pages limit (6); 68 sitemap URLs were not visited but might still be reachable.
Re-run with `--max-pages 2000` (or higher) before trusting orphan-from-sitemap counts.
- InfoTechnical
No HTML sitemap link found on the homepage. Placing one in the footer is an industry best practice for UX and crawler/AI discovery.
Add a link to a user-facing HTML sitemap (e.g. `/sitemap`, not `sitemap.xml`) inside the <footer>. An HTML sitemap acts as a structural overview for lost visitors and as a fallback discovery surface for search engines and AI crawlers.
- InfoQuality impression
Homepage has no `<link rel="icon">` — browsers will request /favicon.ico which may 404.
Add a custom favicon that reflects your brand. A missing favicon causes extra 404 log noise and looks unprofessional in browser tabs and bookmarks.
- InfoPrivacy
4 phone-shaped string(s) appear in main content. Examples: 020 250 46 70.
If the phone numbers are intentional public contact info, ignore this finding. If they're personal numbers (employees, customer testimonials), redact or replace with a routing alias.
Full audit performed on 9 July 2026.
More from the register
Other websites holding an active WebYes certification. Every report is public and audited on the same four pillars.