televisieselectie.nl
Certified on 15 July 2026 · 8 pages checked · 12 improvements found
Full audit
Part of the WebYes certification: beyond the four pillars we also audit SEO, structured data, content, links, privacy and AI findability. These extra categories do not count towards the certification score.
Findings (21)
- ErrorAccessibility
1 <input> element(s) have no associated label, aria-label, or aria-labelledby.
Associate a <label for="inputId"> or add aria-label="..." to every visible form input.
How to fix it
Link every form field to a label via for/id, or use aria-label. A placeholder alone is not enough: it disappears as soon as someone types.
- ErrorAccessibility
1 focusable element(s) have aria-hidden="true", making them invisible to screen readers but still reachable via keyboard.
Remove aria-hidden from focusable elements, or add tabindex="-1" to also remove them from the tab order.
How to fix it
Elements with aria-hidden="true" are still keyboard-focusable. Remove them from the tab order too (tabindex="-1") or hide them properly.
- WarningAccessibility
3 image(s) with alt="" lack role="presentation" or aria-hidden="true".
Mark decorative images explicitly: <img alt="" role="presentation"> or <img alt="" aria-hidden="true">.
- WarningSecurity
Sensitive path reachable: /admin/ (HTTP 200, 17674 bytes).
Block the path at the reverse proxy (deny .git/.env/etc.), remove the file from the deploy artifact, and rotate any secrets that may have been exposed.
How to fix it
A sensitive path is publicly reachable (such as a .env file, .git folder or admin panel). Block the path at the server level or take the file offline, and rotate any leaked keys.
- WarningSecurity
No Content-Security-Policy header — XSS / clickjacking surface is wide open.
Start with a strict-dynamic CSP using nonces: `Content-Security-Policy: script-src 'nonce-<...>' 'strict-dynamic'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'`. Roll out in `Content-Security-Policy-Report-Only` first to catch violations.
How to fix it
Add a Content-Security-Policy header that defines which sources may load scripts and styles. Start with a report-only policy if needed and tighten it from there.
- WarningOn-page SEO
Title is too long (76 chars, max 60); will be truncated in SERPs.
Trim to ~60 characters and keep the most important keywords on the left.
- WarningSpam signals
Term "gratis" appears unusually often (36×, 4% of words).
Rewrite for natural language — repeated exact-match phrases can trigger spam classifiers.
- InfoSpeed
Likely LCP image is missing `fetchpriority="high"`.
Add `fetchpriority="high"` to the hero image (/_next/image?url=%2Fimages%2Fevents%2Fwielrennen.webp&w=1920&q=75) so the browser fetches it ahead of low-priority resources. Saves 100-300ms LCP on typical pages.
How to fix it
Prioritise your largest above-the-fold image with fetchpriority="high" or a preload link. The download then starts immediately instead of after the rest of the page.
- InfoSpeed
Page preloads 5 fonts (threshold: 4).
Each preloaded font competes with other critical resources for bandwidth during early page load. Limit preloads to the 2-3 fonts visible above the fold, lazy-load the rest, and consider variable fonts to reduce file count. Use `next/font` in Next.js for automatic subsetting.
How to fix it
Limit the number of font files: pick one or two families and only the weights you actually use. Every extra font file delays first paint.
- InfoMobile
8 links have very short anchor text (≤2 chars), likely producing small tap targets.
Ensure interactive elements have a minimum 48x48px touch area. Use padding or min-height/min-width on short-text links.
How to fix it
Make buttons and links at least 44 by 44 pixels (or give them more padding) and keep some distance between tappable elements. Thumbs are less precise than mouse pointers.
- InfoSecurity
No `/.well-known/security.txt` published.
Publish a `security.txt` (RFC 9116) at `/.well-known/security.txt`. Even a one-line `Contact: mailto:[email protected]` plus an `Expires:` date is enough; it gives white-hat researchers somewhere to send reports instead of giving up.
How to fix it
Publish a security.txt at /.well-known/security.txt with a contact address for security reports. Researchers then know where to report a vulnerability.
- InfoSecurity
Missing `Cross-Origin-Opener-Policy` + `Cross-Origin-Embedder-Policy`. Cross-origin isolation lets you use SharedArrayBuffer and high-resolution timers safely.
Send `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp`. Note this requires every embedded resource to send `Cross-Origin-Resource-Policy`.
How to fix it
Add Cross-Origin-Opener-Policy: same-origin (and where possible Cross-Origin-Embedder-Policy). This isolates your site from windows opened by other origins.
- InfoSecurity
No `Cross-Origin-Resource-Policy` header. Without it, side-channel attacks via Spectre-style speculative execution stay viable.
Send `Cross-Origin-Resource-Policy: same-origin` for HTML responses, and `cross-origin` for assets you intentionally publish (e.g. fonts, JS bundles).
How to fix it
Add Cross-Origin-Resource-Policy: same-origin (or same-site) to your responses so other sites cannot freely embed your files.
- InfoSecurity
robots.txt Disallow lines reveal sensitive paths: /admin/.
Listing a path under `Disallow:` doesn't hide it — it advertises it. Either move the resource behind auth and remove the Disallow line, or stop linking the path entirely so it never gets indexed.
- InfoStructured data
Page has no JSON-LD structured data in the initial HTML.
Server-render JSON-LD in the HTML response. If this is currently injected after hydration (for example with next/script afterInteractive), static crawlers and AI bots may not see it.
- InfoContent
Text-to-HTML ratio is 1.4% (target ≥ 2%).
Very low ratios usually mean the hydration payload, inline RSC blob or a vendor script is bigger than the rendered prose. Inspect the largest scripts and externalise or split them.
- InfoTechnical
2 crawled page(s) are not listed in any sitemap.
Add these URLs to your sitemap or noindex them. Example: https://televisieselectie.nl/kalender, https://televisieselectie.nl/tools
- InfoTechnical
Crawl stopped at the max-pages limit (6); 280 sitemap URLs were not visited but might still be reachable.
Re-run with `--max-pages 2000` (or higher) before trusting orphan-from-sitemap counts.
- InfoTechnical
No HTML sitemap link found on the homepage. Placing one in the footer is an industry best practice for UX and crawler/AI discovery.
Add a link to a user-facing HTML sitemap (e.g. `/sitemap`, not `sitemap.xml`) inside the <footer>. An HTML sitemap acts as a structural overview for lost visitors and as a fallback discovery surface for search engines and AI crawlers.
- InfoQuality impression
Homepage has no `<link rel="icon">` — browsers will request /favicon.ico which may 404.
Add a custom favicon that reflects your brand. A missing favicon causes extra 404 log noise and looks unprofessional in browser tabs and bookmarks.
- InfoPrivacy
1 phone-shaped string(s) appear in main content. Examples: 866341225.
If the phone numbers are intentional public contact info, ignore this finding. If they're personal numbers (employees, customer testimonials), redact or replace with a routing alias.
Full audit performed on 15 July 2026.
More from the register
Other websites holding an active WebYes certification. Every report is public and audited on the same four pillars.