Lighthouse for andrewhowden.com

A guide to quickly evaluating the quality of a website

As web engineers we’re in a unique position to understand the nuance and context of the web, and to help others who are less well informed about how the web works understand the difference in the quality of websites. This was a useful skill indeed as I recently was tasked with evaluating the technical quality of several public facing eCommerce systems to help someone pick a service provider.

Due to time constraints and the nature of the request and the number of systems that were investigated we need as much quality information as possible on as short a time frame as possible. Luckily, there are a number of standard tests that we can run that will help us determine how the site is performing.

Meeting our candidate

https://www.nytimes.com/, fetched on Saturday 22nd, 2018

The NY Times is a website that I enjoy reading on occasion as it’s articles bubble up through Twitter or other medium, but not one that I’ve evaluated before. So, we’ll be discovering the outcomes together!

Evaluations

Frontend

More information can be found on the Google Developer Docs.

Surprisingly for me at least, NYTimes scores quite badly in some areas:

It took 4 seconds to initially render the website over the limited 3G connection of the test, and 20 seconds until the site was reliably “useable”. This is a remarkably long time! By comparison, simple sites such mine are able to reach this paint in ~1.5s over the same connection, and another comparable news (washington post) site in 3.1s

However, it does quite well in other areas. The site appears to be quite accessible, and well optimised for indexing in search engines. Yay accessibility!

Server

The version I’m using was written by Dave Cheany in Golang.

httpstat is invoked via a terminal:

The full $ httpstat output

That’s pretty hard to read. The important bit is:

Wheow! That’s pretty quick! well done NY times; they score well in all areas. Specifically, TCP connection seems to be terminated early, TLS handshake was quick and server responded quickly.

By comparison, another website (Magento.com) had a TLS handshake 3 times slower than NYTimes, and a server processing time 10 times slower.

Here, NY Times does super well!

Security

However, one test that can run easily and used to determine whether the security of a system has received some attention is the Qualys SSL scanner. This tool makes connections to the website and determines if those connections are vulnerable to a whole series of attacks such as TLS downgrade, FREAK, DROWN or other HTTPS attacks.

https://www.ssllabs.com/ssltest/analyze.html?d=nytimes.com&s=151.101.65.164&latest

Hooray! NYTimes also does an excellent job here. The TLS is correctly configured for a modern web browser, and does not suffer any of the issues that make it more susceptible to the aforementioned attacks.

Another test that we can quickly and safely run is to check the “security headers” that the website responds with. These are hints to the browser that allow the browser to be “stricter” about what is supposed to happen with the site, preventing issues even when there is unauthorized access or compromise of the site.

https://securityheaders.com/?q=https%3A%2F%2Fnytimes.com&followRedirects=on

While NYTimes implements perhaps the most important headers ( X-FRAME-OPTIONS and Content-Security-Policy), there are several opportunities to further restrict the behaviour of the site to known bounds, making users even safer.

Conclusion

Thanks