Lighthouse Best Practices Cheat Sheet
Carlo Gino Catapang
Posted on February 7, 2022
TL;DR
Use Lighthouse to check if your website is following the list of best practices. You will see the same exact information in the Best Practices report.
Here some of the best practices audits to improve the code health of your web page. To learn more, check this page where I based the categorization.
General best practices
- Page has the HTML doctype
Specifying a doctype prevents the browser from switching to quirks-mode.
Learn more
- No browser errors logged to the console
Errors logged to the console indicate unresolved problems. They can come from network request failures and other browser concerns.
Learn more
- Displays images with correct aspect ratio
Image display dimensions should match natural aspect ratio.
Learn more
- Properly defines charset
A character encoding declaration is required. It can be done with a <meta>
tag in the first 1024 bytes of the HTML or in the Content-Type HTTP response header.
Learn more
- Fonts with font-display: optional are preloaded
Preload optional
fonts so first-time visitors may use them.
- Avoids unload event listeners
The unload
event does not fire reliably and listening for it can prevent browser optimizations like the Back-Forward Cache. Consider using the pagehide
or visibilitychange
events instead.
Learn more
Make your page secure
- Uses HTTPS
All sites should be protected with HTTPS, even ones that don't handle sensitive data. This includes avoiding mixed content, where some resources are loaded over HTTP despite the initial request being served over HTTPS. HTTPS prevents intruders from tampering with or passively listening in on the communications between your app and your users, and is a prerequisite for HTTP/2 and many new web platform APIs.
Learn more
- Detected JavaScript libraries
All front-end JavaScript libraries detected on the page.
Learn more
- Ensure CSP is effective against XSS attacks
A strong Content Security Policy (CSP) significantly reduces the risk of cross-site scripting (XSS) attacks.
Learn more
- Links to cross-origin destinations are safe
Add rel="noopener"
or rel="noreferrer"
to any external links to improve performance and prevent security vulnerabilities.
Learn more
- Avoids front-end JavaScript libraries with known security vulnerabilities
Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers.
Learn more
Create a good user experience
- Serves images with appropriate resolution
Image natural dimensions should be proportional to the display size and the pixel ratio to maximize image clarity.
Learn more
- Avoids requesting the geolocation permission on page load
Users are mistrustful of or confused by sites that request their location without context. Consider tying the request to a user action instead.
Learn more
- Avoids requesting the notification permission on page load
Users are mistrustful of or confused by sites that request to send notifications without context. Consider tying the request to user gestures instead.
Learn more
- Allows users to paste into password fields
Preventing password pasting undermines good security policy.
Learn more
Avoid deprecated technologies
- Avoids Application Cache
Application Cache is deprecated.
Learn more
- Avoids deprecated APIs
Deprecated APIs will eventually be removed from the browser.
Learn more
Diagnostics audits
- Detected JavaScript libraries
All front-end JavaScript libraries detected on the page.
Learn more
- No issues in the Issues panel in Chrome Devtools
Issues logged to the Issues
panel in Chrome Devtools indicate unresolved problems. They can come from network request failures, insufficient security controls, and other browser concerns. Open up the Issues panel in Chrome DevTools for more details on each issue.
- Page has valid source maps
Source maps translate minified code to the original source code. This helps developers debug in production. In addition, Lighthouse is able to provide further insights. Consider deploying source maps to take advantage of these benefits.
Learn more
What's next (More copy-pasting)
Posted on February 7, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.