Redirect Chain Too Long — Multiple Hops Before the Real Page Loads
Learn how Scavo measures redirect hops, why chains slow users and crawlers down, and how to flatten protocol, host, and legacy URL redirects into cleaner routes.
Open guidePractical help guides mapped directly to scan checks.
Every guide is mapped 1:1 to an active check key so you can move from warning to fix without guesswork.
Unsafe Cookie Flags — Session Cookies Too Easy to Steal or Replay
Learn how Scavo checks live Set-Cookie headers for Secure, HttpOnly, SameSite, and prefix-rule mistakes so session and auth cookies are not left too loose.
Open guideWeak Security Headers — Missing or Misconfigured Browser Protections
Learn how Scavo checks critical browser security headers, including weak or invalid values, so your live responses are not giving a false sense of protection.
Open guideIndexability Signals Conflicting — Canonical vs Noindex vs Hreflang
Learn how Scavo checks for contradictions between meta robots, X-Robots-Tag, canonical tags, and hreflang so one URL does not send search engines mixed instructions.
Open guideMeta Robots or X-Robots-Tag Blocking Indexing by Accident
Learn how Scavo checks both the robots meta tag and X-Robots-Tag headers so hidden noindex directives do not quietly keep important pages out of search.
Open guideTracking Continues After Cookie Rejection — GDPR Non-Compliance
The EDPB Cookie Banner Taskforce confirmed that when users reject cookies, all third-party tracking must stop immediately (EDPB Report, 2023-2024). Sweden's data authority ruled in March 2025 that even making the "accept" button more visually prominent than "refuse" violates compliance rules. If your trackers persist after rejection, you're not just non-compliant — you're creating audit evidence against yourself.
Open guideContent Security Policy (CSP) Missing or Too Permissive
XSS accounts for approximately 20% of reported web vulnerabilities across all industries (OWASP, 2024). A strong CSP is your primary defence — yet only 21.9% of sites have adopted CSP (HTTP Archive, 2025), and 91% of those still include unsafe-inline, making the policy ineffective. Without CSP, a single compromised third-party script or input field can steal user data, inject malware, or deface your site.
Open guideTracking Fires Before Cookie Consent — GDPR Violation Risk
CNIL fined Google €150M in 2021 for making cookie rejection harder than acceptance, then escalated to a €325M fine in September 2025 for inserting ads without valid consent (CNIL enforcement records). These aren't just big-company problems — the EDPB's 2024 guidelines confirm that any storage or access to information on user devices (cookies, URL tracking, pixel tracking) requires prior consent. Every unconsented tracker impression is a violation.
Open guideHSTS (HTTP Strict Transport Security) Not Enabled
Only 17.5% of the top 1 million HTTPS websites have HSTS enabled, dropping to just 7% across the entire web (HTTP Archive, 2024). Without HSTS, attackers on the same network can perform SSL stripping — intercepting the initial HTTP request and serving malicious content before your redirect to HTTPS kicks in. This is especially dangerous for users on public Wi-Fi, where these attacks are trivial to execute.
Open guideHigh-Risk Trackers Active Without Explicit Consent
GDPR classifies browser fingerprinting as personal data processing requiring prior consent, and session replay tools that capture form data or personal information require explicit, informed consent (GDPR Article 4). Non-compliance carries fines up to €20M or 4% of global annual revenue, whichever is higher (GDPR Article 83). These are the highest-risk trackers regulators look for because they're inherently invasive.
Open guideHTTP to HTTPS Redirect Missing — Security and SEO Risk
Google has used HTTPS as a ranking signal since 2014, and 86.9% of websites now use HTTPS (W3Techs, 2025). If your site doesn't redirect HTTP to HTTPS, visitors land on an unencrypted connection where data can be intercepted. Search engines also treat HTTP and HTTPS as separate URLs, splitting your ranking authority between two versions of every page.
Open guideMixed Content — HTTP Resources Loading on HTTPS Pages
Chrome now automatically blocks mixed content on HTTPS pages — meaning HTTP-loaded scripts and resources simply won't work (Chrome Security, 2024). This breaks page functionality silently: images disappear, styles fail to load, and interactive features stop working. Your users see a degraded experience without understanding why, and search engines flag it as a sign of poor maintenance.
Open guide