Robbies

Ciao Bella of Islamorada Salon, Day Spa, Wellness and Yoga

Audited 2026-03-23

Overall

1 Critical 3 High 4 Medium 3 Low

Our website audit reveals an overall healthy site structure, though several technical improvements are required to optimize security and search engine performance. The most urgent priority is implementing missing security headers, which are currently leaving the site vulnerable to potential exploits. We recommend authorizing our team to address these security configurations and resolve the primary structural errors immediately to ensure a more secure and search-engine-friendly experience.

SEO

100

Performance

100

Accessibility

100

UI / Visual

100

Content

Technical

Screenshots

Desktop (1440px)

Mobile (375px)

SEO

2 high

high

Multiple H1 tags (2)

Found 2 H1 tags: "Voted The #1 Salon & Spa"; "Voted The #1 Salon & Spa". Confuses search engines about the page topic.

Keep only one H1 — the primary page heading. Remove or demote the others to H2.

high

Heading hierarchy skip

Heading jumps from H2 to H4: "Experience the power of the Gong in an intimate setting"

Use H3 instead of H4 here.

Technical

1 critical 1 high 4 medium 3 low

critical

Missing HSTS header

The HSTS HTTP response header is not set.

Add to your server/CDN/nginx config: Strict-Transport-Security: max-age=31536000; includeSubDomains

high

Missing X-Content-Type-Options header

The X-Content-Type-Options HTTP response header is not set.

Add to your server/CDN/nginx config: X-Content-Type-Options: nosniff

medium

Missing X-Frame-Options header

The X-Frame-Options HTTP response header is not set.

Add to your server/CDN/nginx config: X-Frame-Options: SAMEORIGIN

medium

Missing Content-Security-Policy header

The Content-Security-Policy HTTP response header is not set.

Add to your server/CDN/nginx config: Content-Security-Policy: default-src 'self'; img-src * data:; script-src 'self' (customize per stack)

medium

1 cookie(s) missing Secure flag

Cookies without Secure flag can be sent over HTTP: nitroCachedPage

Add the Secure attribute to all cookies on HTTPS sites.

medium

1 cookie(s) missing HttpOnly flag

Cookies accessible via JavaScript: nitroCachedPage. XSS can steal them.

Add HttpOnly attribute to session and auth cookies.

low

Missing Referrer-Policy header

The Referrer-Policy HTTP response header is not set.

Add to your server/CDN/nginx config: Referrer-Policy: strict-origin-when-cross-origin

low

Missing Permissions-Policy header

The Permissions-Policy HTTP response header is not set.

Add to your server/CDN/nginx config: Permissions-Policy: camera=(), microphone=(), geolocation=()

low

4 cookie(s) missing SameSite attribute

Cookies without SameSite may be sent on cross-site requests: __cf_bm, __cf_bm, __cf_bm

Set SameSite=Lax or Strict on all cookies.

New Audit Robbies History

# QA Report: https://ciaobellaislamorada.com/ **Client:** Robbies **Overall Score:** 94/100 **Date:** 2026-03-23 Our website audit reveals an overall healthy site structure, though several technical improvements are required to optimize security and search engine performance. The most urgent priority is implementing missing security headers, which are currently leaving the site vulnerable to potential exploits. We recommend authorizing our team to address these security configurations and resolve the primary structural errors immediately to ensure a more secure and search-engine-friendly experience. **Issues:** 1 critical · 3 high · 4 medium · 3 low ## SEO (90/100) - **[HIGH]** Multiple H1 tags (2) - Found 2 H1 tags: "Voted The #1 Salon & Spa"; "Voted The #1 Salon & Spa". Confuses search engines about the page topic. - Fix: Keep only one H1 — the primary page heading. Remove or demote the others to H2. - **[HIGH]** Heading hierarchy skip - Heading jumps from H2 to H4: "Experience the power of the Gong in an intimate setting" - Fix: Use H3 instead of H4 here. ## Technical (74/100) - **[CRITICAL]** Missing HSTS header - The HSTS HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Strict-Transport-Security: max-age=31536000; includeSubDomains - **[HIGH]** Missing X-Content-Type-Options header - The X-Content-Type-Options HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: X-Content-Type-Options: nosniff - **[MEDIUM]** Missing X-Frame-Options header - The X-Frame-Options HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: X-Frame-Options: SAMEORIGIN - **[MEDIUM]** Missing Content-Security-Policy header - The Content-Security-Policy HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Content-Security-Policy: default-src 'self'; img-src * data:; script-src 'self' (customize per stack) - **[MEDIUM]** 1 cookie(s) missing Secure flag - Cookies without Secure flag can be sent over HTTP: nitroCachedPage - Fix: Add the Secure attribute to all cookies on HTTPS sites. - **[MEDIUM]** 1 cookie(s) missing HttpOnly flag - Cookies accessible via JavaScript: nitroCachedPage. XSS can steal them. - Fix: Add HttpOnly attribute to session and auth cookies. - **[LOW]** Missing Referrer-Policy header - The Referrer-Policy HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Referrer-Policy: strict-origin-when-cross-origin - **[LOW]** Missing Permissions-Policy header - The Permissions-Policy HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Permissions-Policy: camera=(), microphone=(), geolocation=() - **[LOW]** 4 cookie(s) missing SameSite attribute - Cookies without SameSite may be sent on cross-site requests: __cf_bm, __cf_bm, __cf_bm - Fix: Set SameSite=Lax or Strict on all cookies.