How does Wattspeed work?

The home page is the place where you will see all your tracked domains, along with some insights that will provide a larger view of how those are performing. From the first sight, you will see which domain needs to be improved.

Meant to help you identify the URLs that need improvement, the Overview section will provide an in depth analysis for the chosen domain.

• Average performance: The performance history for all domain's webpages, also spited by device.
• URLs performance: Shows the percent of traced URLs grouped by performance.
• Locations: The locations from where your URLs are being analyzed.
• Uptime: The uptime history for domain's URLs.
• Monitored URLs: The domain specific URLs that you are monitoring will appear in this section. The ability to filter by device, url performance or location will provide an easy to use, yet performant way to analyze your domain.

When you add a webpage you want to monitor, Wattspeed automatically runs an initial snapshot for you. Here's how to run more snapshots so you can compare results in time:

• Run a snapshot using a URL

  Using the settings' API endpoint for a webpage, you can make a GET request, so each time you deploy a website, Wattspeed will run a new snapshot automatically.

• Scheduled snapshot

  Within the same settings section, you can choose the frequency Wattspeed scheduler should run new snapshots with for your webpage. The default is weekly, meaning one snapshot per week.

• Manual snapshot

  Besides the methods above, you can always run a quick snapshot. This may be useful when you need to check out some recent improvements immediately.

In some cases, you will want to monitor the metrics of a webpage after a change has been made and deployed. Here's how to integrate Wattspeed with your preferred Continuous integration (CI) service:

GitHub Action

The Wattspeed's GitHub Action lets you run a snapshot as a step of your workflow.

GitLab CI/CD

In .gitlab-ci.yml, add a new item inside the script section. Using for example curl, you will need to make a GET request to the endpoint that you will find in each Wattspeed URL's settings. Make sure you add it at the end, so it can run right after your new webpage version is online.

before_script:
- apt-get update -qy
- apt-get install -y curl
script:
- curl https://api.wattspeed.com/update?token=xxxxx

Jenkins Plugin

You can use the Wattspeed Jenkins Plugin to trigger a snapshot as a build step of your Jenkins project.

This section helps you identify potential security improvements, not only to keep attackers away but also to provide Google with one more reason to rank your website higher. SEJ references a study on web security performed by GoDaddy according to which 73.9% of hacking events were for SEO purposes. Such attacks are spam based and aim to modify the content of websites by adding links to malicious sites. It was noted that 1 out of 10 infected sites were found on Google's blocklist. Even if your site is not successfully hacked, the constant attacks from site hackers can prevent GoogleBot from adequately accessing your site. This causes your web server to slow down (throttle) your web traffic and even to stop showing web pages to Google.

Grading

Our security scan evaluates security headers and the SSL certificate chain, scoring them according to the criteria listed below. The scoring methodology was adopted from Scott Helm's Headers Test and Ivan Ristić's scoring formula for SSL Test .

Response Headers

Security scans for a list of 6 response headers and it checks whether a certain header was sent by the server. Points are rewarded based on severity for the headers which are set, except for the Strict-Transport-Security header which is excluded over an HTTP connection.

How do we score a website's security headers?

The highest grade you can get is an A+ and the lowest is an F.
The grades are composed based on the following score:

• A+ for a score equal to or higher than 100
• A for a score equal to or higher than 75
• B for a score equal to or higher than 60
• C for a score equal to or higher than 50
• D for a score equal to or higher than 20
• E for a score equal to or higher than 10
• F for a score equal to or higher than 0

Security headers are scored as follows:

• Strict-Transport-Security adds 25 points
• Content-Security-Policy adds 25 points
• X-Frame-Options adds 20 points
• X-Content-Type-Options adds 10 points
• Referrer-Policy adds 10 points
• Permissions-Policy adds 10 points

SSL

Testing SSL involves a series of checks where the main targeted aspects are the certificate chain and server configuration (protocols & ciphers).

How do we score a website's SSL scan?

The standard grading is from A+ to F, however there is an additional grade (T) when a certificate is not trusted. Certificates act as a proof of identity for a server and are used to confirm whether or not communication endpoints are really who they say they are. Failing to do so can render the whole security of the connection vulnerable (man-in-the-middle attack), regardless of having a good server configuration or not.

Grades are awarded as follows:

• A+ for a score equal to or higher than 95
• A for a score equal to or higher than 80
• B for a score equal to or higher than 65
• C for a score equal to or higher than 50
• D for a score equal to or higher than 35
• E for a score equal to or higher than 20
• F for a score equal to or higher than 0

An incorrect certificate having any of the following issues will bring the total score to 0:

• Certificate not yet valid
• Certificate expired
• Hostname mismatch
• Use of a certificate that is not trusted (unknown CA or some other validation error)
• Use of a self-signed certificate
• Insecure key
• Insecure certificate signature (MD2 or MD5)

Protocols are scored based on the versions of TLS that are supported by the server. Since there can be multiple protocols supported, the score is determined by the average between the best and the worst.

Protocol support rating:

• TLS 1.3 has a rating of 100
• TLS 1.2 has a rating of 100
• TLS 1.1 has a rating of 40
• TLS 1.0 has a rating of 40

Ciphers are scored based on the strength against an attacker's effort to break the symmetric key of the cipher suites in all protocols. Since there can be multiple ciphers for each protocol, the score is determined by the average between the best and the worst.

Ciphers strength rating:

• STRONG has a rating of 100
• SECURE has a rating of 100
• WEAK has a rating of 80
• INSECURE has a rating of 0

Score changes:

• the server is using an invalid certificate — score changed to T
• the server uses insecure ciphers — score changed to F
• the server does not support TLS 1.3 or TLS 1.2 — score capped at C
• the server supports TLS 1.1 or TLS 1.0 — score capped at B

An alert will give you the option to add a name and an optional description for better understanding and will be triggered when any of the added webpages meet one or more specified conditions.

You can choose from a variety of metrics, some of which are available for all your snapshot locations. After selecting the desired metric, you will need to input a specific value that will trigger the alert.

Once you have an alert configured, you will see it in the `Monitored alerts` section, from where you can edit, duplicate or delete the alert.

Shareable links is a feature that allows everyone with the link to access snapshots without a Wattspeed account. You can share the overview, history, issues information, the proper snapshot or even the comparison data for a web page you added to Wattspeed.

If you're looking to check out Lighthouse scores and other performance metrics while you're browsing the web, you should check out the following Wattspeed extensions:

• Chrome
• Firefox
• Edge