Website Audit Glossary

A way of telling Google which version of a page is the "official" one. Websites often have the same content accessible at multiple URLs — for example, with and without "www", or with different tracking parameters. A canonical tag in your page code tells Google which URL you consider the definitive version, so it doesn't split ranking signals across duplicates.

Google's official measures of how good the experience of loading your website feels. Core Web Vitals are three specific metrics Google uses to measure user experience: how quickly the main content loads (LCP), how quickly the page responds to the first click or tap (FID/INP), and how much the page layout shifts while loading (CLS). Google uses these as ranking signals — a faster, more stable page ranks better than a slow, jumpy one.

Controls which scripts and resources are allowed to run on your website. A Content Security Policy tells browsers exactly which scripts, images, and other resources are allowed to load on your site. This prevents attackers from injecting malicious code into your pages — a type of attack called cross-site scripting (XSS) that can steal visitor data or redirect users to fraudulent sites.

Links on your site that point to pages that no longer exist. A dead link (also called a broken link or 404 error) occurs when a page that used to exist has been deleted or moved without a redirect being set up. When a visitor clicks the link, or when Google's crawler follows it, they reach a "page not found" error. Dead links waste Google's crawl budget and frustrate visitors.

A digital signature that proves an email genuinely came from your domain. DKIM adds a digital signature to every email you send. The signature is verified using a public key stored in your DNS records. This proves the email hasn't been tampered with in transit and genuinely originated from your domain. Most modern email providers (Gmail, Microsoft 365, etc.) set this up for you automatically.

A policy that tells email servers what to do with emails that fail SPF or DKIM checks. DMARC ties SPF and DKIM together and adds a policy layer. It tells receiving mail servers what to do if an email fails authentication — options range from "do nothing" (monitor only) to "send it to spam" to "reject it entirely". It also enables reporting so you can see if anyone is trying to send fraudulent emails using your domain.
Read our guide →

The internet's address book — translates your domain name into a server address. When someone types your website address into a browser, DNS is the system that looks up which server to connect to. It works like a phone book: you look up the name, it gives you the number. DNS also controls your email settings — which mail servers handle your email, and the authentication records that prove your emails are genuine.

The main heading on a page — tells Google what the page is primarily about. The H1 is the top-level heading on a webpage, like the headline of a newspaper article. There should be exactly one per page. Search engines give it extra weight when deciding what the page is about, so it should include your main keyword and accurately describe the content.

Forces browsers to always use the secure (HTTPS) version of your site. HSTS tells browsers that they should only ever connect to your website over a secure, encrypted connection. Without it, there's a brief window when someone first visits your site where they could be intercepted and served an insecure version — a technique called a "downgrade attack".

Links within your site that point to the old insecure (http://) version of pages. Even if your site has an SSL certificate and runs on HTTPS, individual links within your site might still point to the old HTTP version of pages. This causes unnecessary redirects for every visitor who follows those links, slowing down your site and creating mixed content warnings in browsers.

How long it takes for the main content of your page to appear on screen. LCP measures the time from when a visitor starts loading your page to when the largest visible element — usually a hero image or main heading — appears on screen. Google's target is under 2.5 seconds. Anything over 4 seconds is considered poor.

The short blurb that appears under your website in Google search results. When someone searches for a business like yours, Google shows your page title and a short description underneath. That description is your meta description — you write it yourself and it appears in the page code, not on the page itself. It doesn't directly affect your ranking, but a well-written one gets more people to click through to your site.

How quickly your website loads for visitors. Page speed affects both user experience and search rankings. Visitors are impatient — studies consistently show that conversion rates drop significantly as load times increase. A one-second delay can reduce conversions by up to 7%. Google also factors page speed into its rankings, particularly on mobile.

The clickable headline that appears in Google search results. Your page title is one of the most important signals Google uses to understand what your page is about. It also appears in the browser tab when someone has your site open. A good title is specific, includes your main keyword, and is under 60 characters so it doesn't get cut off in search results.

Controls how much information your site shares with other sites when visitors click links. When someone clicks a link on your site to go to another site, their browser tells the destination site where they came from — this is called the referrer. A Referrer Policy lets you control how much of that information is shared. For example, you might not want your full page URLs (which could contain sensitive query parameters) being sent to third-party sites.

Instructions your website sends to browsers to protect visitors from common attacks. When someone visits your website, your server sends the page content along with a set of invisible instructions called HTTP headers. Security headers are specific instructions that tell the visitor's browser how to handle your site safely — blocking certain types of attacks before they can do any damage.
Read our guide →

A record that tells email servers which servers are allowed to send email on your behalf. SPF is a DNS record that lists all the servers that are authorised to send email from your domain. When someone receives an email from you, their email server checks your SPF record to verify the email actually came from a server you've authorised. This helps prevent spammers from forging emails that appear to come from your domain.

The padlock in your browser's address bar — proves your site is secure and genuine. SSL (now technically called TLS) is the technology that encrypts the connection between your visitor's browser and your website. It's what puts the "https" and padlock icon in the address bar. It serves two purposes: it encrypts the data in transit (so it can't be intercepted) and it verifies that your site is who it says it is (so visitors aren't tricked into a fake version of your site).

SSL certificates have an expiry date and need renewing before they run out. SSL certificates aren't permanent — they typically last between 90 days and 1 year depending on your provider. When one expires, visitors see an immediate security warning and can't access your site without bypassing it manually. Most hosting providers offer automatic renewal, but it's worth checking this is set up correctly.

Stops browsers from guessing what type of file they're loading. Browsers can sometimes try to be helpful by "sniffing" the type of a file — for example, treating a text file as JavaScript if it looks like code. This header tells the browser to trust what the server says the file is, and not to guess. This prevents a type of attack where an attacker tricks a browser into executing a file as code when it shouldn't be.

Stops your website from being embedded inside another site without your permission. This header prevents your website from being loaded inside a hidden frame on another website — a technique called clickjacking. Attackers use this to trick visitors into clicking buttons on your site without realising it, which can be used to authorise transactions or change account settings.

A file that lists all the pages on your website and helps Google find them. An XML sitemap is a file (usually at yourdomain.com/sitemap.xml) that lists all the important pages on your website. It's not for human visitors — it's for search engine crawlers. A sitemap helps Google discover pages it might otherwise miss, especially on larger sites or sites where not all pages are linked from the homepage.