Robbies

Ciao Bella of Islamorada Salon, Day Spa, Wellness and Yoga

Audited 2026-03-23

Overall

1 Critical 3 High 4 Medium 3 Low

The website maintains a strong foundation, though our latest audit identified several technical areas that require optimization to ensure peak performance and security. The most critical priority is the missing HSTS security header, which must be addressed immediately to protect site integrity and improve search rankings. I recommend that our technical team implements these security fixes and structural content updates promptly to enhance the site's overall reliability and SEO positioning.

SEO

100

Performance

100

Accessibility

100

UI / Visual

100

Content

Technical

Screenshots

Desktop (1440px)

Mobile (375px)

SEO

2 high

high

Multiple H1 tags (2)

Found 2 H1 tags: "Voted The #1 Salon & Spa"; "Voted The #1 Salon & Spa". Confuses search engines about the page topic.

Keep only one H1 — the primary page heading. Remove or demote the others to H2.

high

Heading hierarchy skip

Heading jumps from H2 to H4: "Experience the power of the Gong in an intimate setting"

Use H3 instead of H4 here.

Technical

1 critical 1 high 4 medium 3 low

critical

Missing HSTS header

The HSTS HTTP response header is not set.

Add to your server/CDN/nginx config: Strict-Transport-Security: max-age=31536000; includeSubDomains

high

Missing X-Content-Type-Options header

The X-Content-Type-Options HTTP response header is not set.

Add to your server/CDN/nginx config: X-Content-Type-Options: nosniff

medium

Missing X-Frame-Options header

The X-Frame-Options HTTP response header is not set.

Add to your server/CDN/nginx config: X-Frame-Options: SAMEORIGIN

medium

Missing Content-Security-Policy header

The Content-Security-Policy HTTP response header is not set.

Add to your server/CDN/nginx config: Content-Security-Policy: default-src 'self'; img-src * data:; script-src 'self' (customize per stack)

medium

1 cookie(s) missing Secure flag

Cookies without Secure flag can be sent over HTTP: nitroCachedPage

Add the Secure attribute to all cookies on HTTPS sites.

medium

1 cookie(s) missing HttpOnly flag

Cookies accessible via JavaScript: nitroCachedPage. XSS can steal them.

Add HttpOnly attribute to session and auth cookies.

low

Missing Referrer-Policy header

The Referrer-Policy HTTP response header is not set.

Add to your server/CDN/nginx config: Referrer-Policy: strict-origin-when-cross-origin

low

Missing Permissions-Policy header

The Permissions-Policy HTTP response header is not set.

Add to your server/CDN/nginx config: Permissions-Policy: camera=(), microphone=(), geolocation=()

low

4 cookie(s) missing SameSite attribute

Cookies without SameSite may be sent on cross-site requests: __cf_bm, __cf_bm, __cf_bm

Set SameSite=Lax or Strict on all cookies.

New Audit Robbies History

# QA Report: https://ciaobellaislamorada.com/ **Client:** Robbies **Overall Score:** 94/100 **Date:** 2026-03-23 The website maintains a strong foundation, though our latest audit identified several technical areas that require optimization to ensure peak performance and security. The most critical priority is the missing HSTS security header, which must be addressed immediately to protect site integrity and improve search rankings. I recommend that our technical team implements these security fixes and structural content updates promptly to enhance the site's overall reliability and SEO positioning. **Issues:** 1 critical · 3 high · 4 medium · 3 low ## SEO (90/100) - **[HIGH]** Multiple H1 tags (2) - Found 2 H1 tags: "Voted The #1 Salon & Spa"; "Voted The #1 Salon & Spa". Confuses search engines about the page topic. - Fix: Keep only one H1 — the primary page heading. Remove or demote the others to H2. - **[HIGH]** Heading hierarchy skip - Heading jumps from H2 to H4: "Experience the power of the Gong in an intimate setting" - Fix: Use H3 instead of H4 here. ## Technical (74/100) - **[CRITICAL]** Missing HSTS header - The HSTS HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Strict-Transport-Security: max-age=31536000; includeSubDomains - **[HIGH]** Missing X-Content-Type-Options header - The X-Content-Type-Options HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: X-Content-Type-Options: nosniff - **[MEDIUM]** Missing X-Frame-Options header - The X-Frame-Options HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: X-Frame-Options: SAMEORIGIN - **[MEDIUM]** Missing Content-Security-Policy header - The Content-Security-Policy HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Content-Security-Policy: default-src 'self'; img-src * data:; script-src 'self' (customize per stack) - **[MEDIUM]** 1 cookie(s) missing Secure flag - Cookies without Secure flag can be sent over HTTP: nitroCachedPage - Fix: Add the Secure attribute to all cookies on HTTPS sites. - **[MEDIUM]** 1 cookie(s) missing HttpOnly flag - Cookies accessible via JavaScript: nitroCachedPage. XSS can steal them. - Fix: Add HttpOnly attribute to session and auth cookies. - **[LOW]** Missing Referrer-Policy header - The Referrer-Policy HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Referrer-Policy: strict-origin-when-cross-origin - **[LOW]** Missing Permissions-Policy header - The Permissions-Policy HTTP response header is not set. - Fix: Add to your server/CDN/nginx config: Permissions-Policy: camera=(), microphone=(), geolocation=() - **[LOW]** 4 cookie(s) missing SameSite attribute - Cookies without SameSite may be sent on cross-site requests: __cf_bm, __cf_bm, __cf_bm - Fix: Set SameSite=Lax or Strict on all cookies.