⚠️ DEV TOOL: This page intentionally contains SEO issues for testing. 📋 Issues Index
Legal & Compliance

Privacy & Security Policy

How Acme Analytics protects your data with enterprise-grade security, compliance frameworks, and transparent data practices.

Mixed Content Issues #1 #2 #185

HTTP Image on HTTPS Page #2 CRITICAL

The image below is intentionally loaded over http:// on this HTTPS page. Browsers will block or warn about this mixed content. It signals to Google that the site's security posture is poor.

Mixed content HTTP image example

SEO ISSUE #2: src="http://..." used on an HTTPS page. Browsers show a "Not Secure" warning. Chrome blocks mixed active content. This also affects Core Web Vitals.

Mixed Active Content — HTTP Script #185 CRITICAL

The following script tag loads JavaScript from an http:// URL. Browsers block mixed active content (scripts, stylesheets, iframes). This will silently break page functionality.

<!-- SEO ISSUE #185: Mixed active content — HTTP script on HTTPS page -->
<script src="http://cdn.example.com/analytics-tracker.js"></script>
<!-- ↑ Blocked by browser. Should be https:// -->

HTTPS Enforcement Missing #1 CRITICAL

This site does not enforce HTTPS via server-side redirect. Visiting http://acmeanalytics.example.com serves the same content without being upgraded to HTTPS, exposing users to man-in-the-middle attacks.

Missing HTTP Security Headers

Strict-Transport-Security (HSTS) Missing #136 IMP

The Strict-Transport-Security response header is absent from this server. Without HSTS, browsers will not automatically upgrade future HTTP requests to HTTPS. Users who type the URL without https:// are vulnerable.

# SEO ISSUE #136: Missing HSTS response header
# ABSENT from HTTP response headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# To fix: add this in nginx.conf or equivalent:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Content-Security-Policy (CSP) Missing #137 IMP

No CSP header or <meta http-equiv="Content-Security-Policy"> tag is present. Without CSP, this page is vulnerable to cross-site scripting (XSS) attacks. Google considers site security as part of its overall quality assessment.

<!-- SEO ISSUE #137: No CSP meta tag present -->
<!-- Missing: -->
<meta http-equiv="Content-Security-Policy"
      content="default-src 'self'; script-src 'self' https://cdn.example.com">

X-Frame-Options Missing #140 IMP

The X-Frame-Options header (or equivalent CSP frame-ancestors directive) is absent. Any external site can embed this page in an <iframe>, enabling clickjacking attacks that trick users into performing unintended actions.

# SEO ISSUE #140: X-Frame-Options ABSENT from response headers
# Missing: X-Frame-Options: SAMEORIGIN
# Or via CSP: Content-Security-Policy: frame-ancestors 'self'

Referrer-Policy Missing #139 STD

The Referrer-Policy response header is not set. When users click external links from this page, the full URL (including any path and query parameters containing sensitive data) is sent to the destination site in the HTTP Referer header.

# SEO ISSUE #139: Missing Referrer-Policy
# Add to server config: Referrer-Policy: no-referrer-when-downgrade

External Links Without rel="noopener noreferrer" #50 STD

All external links below open in a new tab (target="_blank") but are missing rel="noopener noreferrer". The opened page can access and manipulate the opener page via window.opener — a reverse tabnapping vulnerability.

SEO ISSUE #50: Fix: <a href="/seo-html/..." target="_blank" rel="noopener noreferrer">. The noreferrer also prevents the referrer header from being sent.

Our Security Certifications

🔒

SOC 2 Type II

Annually audited by an independent third-party. Full report available upon request under NDA.

🌏

GDPR Compliant

Data Processing Agreements available. EU Standard Contractual Clauses in place for international transfers.

🏘

ISO 27001

Information Security Management System certified. Annual penetration testing by CREST-accredited firms.

Data Encryption

All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256. Encryption keys are managed using AWS KMS with automatic rotation every 90 days.

Customer data is isolated at the application layer using tenant-specific encryption keys. Acme Analytics engineers cannot access customer data without explicit customer approval via our Data Access Request process.

SSL Certificate & Security Header Test Notes

This section documents expected scanner results for SSL/header fields on this deployment:

  • sslCertificateIssuer: Will show "Cloudflare, Inc." — edge-managed cert, not site-controlled. Document as PASS/INFO, not a fixable issue.
  • sslValidFrom / sslValidUntil: Cloudflare-managed cert dates — edge-managed, document as PASS/INFO.
  • hstsHeader: Intentionally MISSING — no Strict-Transport-Security header is set by this site (Issue #136). The public/_headers file deliberately omits this header.
  • contentSecurityPolicy: Intentionally MISSING — no Content-Security-Policy header set (Issue #137). Neither _headers nor any page meta tag sets CSP.
  • xFrameOptions: Intentionally MISSING — no X-Frame-Options header set (Issue #140). Deliberately omitted from _headers.

KNOWN LIMITATION: SSL certificate fields (sslCertificateIssuer, sslValidFrom, sslValidUntil) are managed entirely by Cloudflare's edge infrastructure. They will always reflect Cloudflare's certificate, not a custom certificate. This is expected behaviour for Cloudflare Pages deployments and should be classified as informational, not an actionable SEO issue.