What we check
Every Resync Radar scan runs these checks on your website. Checks labelled full belong to the paid subscription; the rest are in every free scan.
Security 8 checks
-
No HTTPS
security.no-httpsseriousWithout HTTPS all traffic is readable and modifiable in transit.
Fix: Install a valid TLS certificate and enforce HTTPS (redirect + HSTS).
-
Missing HSTS header
security.hsts-missingseriousStrict-Transport-Security forces browsers to always reach the site over HTTPS, which protects against downgrade attacks.
Fix: Send Strict-Transport-Security: max-age=63072000; includeSubDomains.
-
Missing Content-Security-Policy
security.csp-missingmoderateA CSP is an important defence layer against cross-site scripting (XSS).
Fix: Add a Content-Security-Policy header, as strict as your site allows.
-
Missing X-Content-Type-Options
security.nosniff-missingmoderateX-Content-Type-Options: nosniff stops browsers interpreting files as another type (MIME sniffing).
Fix: Send the header X-Content-Type-Options: nosniff.
-
Missing Referrer-Policy
security.referrer-policy-missingminor fullA Referrer-Policy limits which URL information leaks to other sites when visitors follow links.
Fix: Send e.g. Referrer-Policy: strict-origin-when-cross-origin.
-
Missing Permissions-Policy
security.permissions-policy-missingminor fullA Permissions-Policy limits which browser features (camera, microphone, geolocation) the page and embedded frames may use.
Fix: Send a Permissions-Policy that disables unused features.
-
No clickjacking protection
security.frame-options-missingmoderate fullWithout X-Frame-Options or CSP frame-ancestors your site can be loaded in an invisible frame (clickjacking).
Fix: Set CSP frame-ancestors 'self' (or X-Frame-Options: DENY).
-
Version in Server header
security.server-bannerminor fullA Server header with a version number makes it easier for attackers to look up known vulnerabilities.
Fix: Hide the version number in the Server header (turn off server tokens).
email 6 checks
-
Missing SPF record
email.spf-missingserious fullSPF tells receiving mail servers which servers may send on behalf of your domain; without SPF anyone can spoof your domain.
Fix: Publish a TXT record 'v=spf1 …' that ends in -all.
-
Weak SPF policy
email.spf-weakmoderate fullAn SPF that doesn't end in -all (hardfail) still lets spoofed mail through.
Fix: End your SPF record with -all instead of ~all/?all/+all.
-
Missing DMARC record
email.dmarc-missingserious fullDMARC decides what receivers do with mail that fails SPF/DKIM, and gives you reports about abuse.
Fix: Publish a TXT record at _dmarc.<domain>: 'v=DMARC1; p=reject; …'.
-
Weak DMARC policy
email.dmarc-policy-weakmoderate fullWith p=none spoofed mail is reported but not blocked.
Fix: Set the DMARC policy to p=quarantine or p=reject.
-
No DKIM found
email.dkim-missingminor fullDKIM signs outgoing email so receivers can verify authenticity. We look at the common selectors.
Fix: Enable DKIM at your mail provider and publish the DKIM key.
-
No mail server (MX)
email.mx-missinginfo fullWithout an MX record the domain receives no email. Purely informational; spoofing protection (SPF/DMARC) is still recommended.
Fix: Add MX records if this domain is supposed to receive email.
Accessibility 3 checks
-
Missing language setting
a11y.html-lang-missingseriousThe lang attribute on <html> tells screen readers which language to read the page in (WCAG 3.1.1).
Fix: Set <html lang="en"> (or the correct language code) on the page.
-
Images without alt text
a11y.img-alt-missingmoderateImages need an alt attribute so blind and low-vision visitors get the content (WCAG 1.1.1). An empty alt="" is fine for decoration.
Fix: Give meaningful images a descriptive alt text; decorative images an empty alt="".
-
Missing viewport meta
a11y.viewport-missingmoderateWithout a viewport meta the page doesn't scale on mobile and visitors struggle to zoom.
Fix: Add <meta name="viewport" content="width=device-width, initial-scale=1">.
SEO 7 checks
-
Missing page title
seo.title-missingseriousEvery page should have one clear <title>; search engines show it as the heading in results.
Fix: Give the page a unique, descriptive <title> of at most 60 characters.
-
Page title too long
seo.title-too-longminorTitles longer than 60 characters are truncated in search results.
Fix: Shorten the title to at most 60 characters.
-
Missing meta description
seo.meta-description-missingmoderateThe meta description is the snippet under your link in search results; without one the search engine picks its own.
Fix: Add a <meta name="description"> of 50–160 characters.
-
Meta description length
seo.meta-description-lengthminorA description of 50–160 characters fits neatly in search results.
Fix: Rewrite the description to 50–160 characters.
-
Missing H1 heading
seo.h1-missingmoderateOne clear H1 tells visitors and search engines what the page is about.
Fix: Give the page exactly one <h1> with the main heading.
-
Multiple H1 headings
seo.h1-multipleminor fullMultiple H1s on one page dilute the main message.
Fix: Use one <h1> and move the other headings to <h2>/<h3>.
-
Missing Open Graph title
seo.og-title-missingminor fullOpen Graph tags decide how your page looks when it is shared on social media.
Fix: Add <meta property="og:title"> (and og:description, og:image).
Ready to scan?
Run a free scan on your homepage, no account needed.
Start a free scan