Tested 2026-07-07 15:37:59 using Chrome 150.0.7871.46 (runtime settings)
Use --filmstrip.showAll to show all filmstrips.
The coach helps you find performance problems on your web page using web performance best practice rules. And gives you advice on privacy and best practices. Tested using Coach-core version 9.2.1.
avoidScalingImagesThe page has 29 images that are scaled more than 100 pixels. It would be better if those images are sent so the browser don't need to scale them.
It's easy to scale images in the browser and make sure they look good in different devices, however that is bad for performance! Scaling images in the browser takes extra CPU time and will hurt performance on mobile. And the user will download extra kilobytes (sometimes megabytes) of data that could be avoided. Don't do that, make sure you create multiple version of the same image server-side and serve the appropriate one.
decodingAsyncThe page has 69 images (out of 69) without a decoding hint. Add decoding="async" to non-critical images so the browser can decode them off the main thread.
Setting decoding="async" on an <img> tells the browser it can decode the image off the main thread, which keeps the page responsive to user interactions while images are being processed. The default ("auto") leaves the choice to the browser. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#decoding
firstContentfulPaintFirst contentful paint is poor (3.700 s). It is in the Google Web Vitals poor range, slower than 3 seconds.The page has a high time to first byte (TTFB) 2.454 s that you should look into to improve first contentful paint.
The First Contentful Paint (FCP) metric measures the time from when the page starts loading to when any part of the page content is rendered on the screen. For this metric, "content" refers to text, images (including background images), <svg> elements, or non-white <canvas> elements.
googleTagManagerThe page is using Google Tag Manager, this is a performance risk since non-tech users can add JavaScript to your page.
Google Tag Manager makes it possible for non tech users to add scripts to your page that will downgrade performance.
largestContentfulPaintLargest contentful paint is poor 4.488 s. It is in the Google Web Vitals poor range, slower than 4 seconds.
Largest contentful paint is one of Google Web Vitals and reports the render time of the largest image or text block visible within the viewport, relative to when the page first started loading. To be fast according to Google, it needs to render before 2.5 seconds and results over 4 seconds is poor performance.
lazyLoadingImagesThe page has 51 below-the-fold images without loading="lazy". Add loading="lazy" so the browser defers downloading and decoding them until the user scrolls them into view.
Adding loading="lazy" to an <img> tells the browser not to download or decode it until it is close to the viewport. For images that the user may never see (deep in the page, behind a tab, in a footer carousel), this saves bandwidth and main-thread time during initial render. The LCP image and any image in the initial viewport should NOT be lazy-loaded — that delays the first paint. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#loading
longTasksThe page has 8 CPU long tasks with the total of 1.603 s. The total blocking time is 786 ms and 1 long task before first contentful paint with total time of 467 ms. However the CPU Long Task is depending on the computer/phones actual CPU speed, so you should measure this on the same type of the device that your user is using. Use Geckoprofiler for Firefox or Chromes tracelog to debug your long tasks.
Long CPU tasks locks the thread. To the user this is commonly visible as a "locked up" page where the browser is unable to respond to user input; this is a major source of bad user experience on the web today. However the CPU Long Task is depending on the computer/phones actual CPU speed, so you should measure this on the same type of the device that your user is using. To debug you should use the Chrome timeline log and drag/drop it into devtools or use Firefox Geckoprofiler.
modernImageFormatsThe page ships 64 images (out of 64) in JPEG/PNG/GIF without a modern alternative. Wrap them in a <picture> with a <source type="image/avif"> or "image/webp" before the legacy <img>, or serve modern formats from your image pipeline directly. AVIF and WebP usually deliver 25–50% smaller files at the same quality.
AVIF and WebP routinely deliver 25–50% smaller files than JPEG and PNG at the same perceived quality, and every browser version still under support understands at least one of them. Ship modern formats either through a <picture> element with <source type="image/avif"> / "image/webp" entries in front of the legacy <img>, or directly from a content-negotiating image pipeline that returns AVIF / WebP when the client accepts it. https://web.dev/articles/serve-images-webp
javascriptSizeThe total JavaScript transfer size is 294.9 kB and the uncompressed size is 929.1 kB. This is quite large.
A lot of JavaScript often means you are downloading more than you need. How complex is the page and what can the user do on the page? Do you use multiple JavaScript frameworks?
pageSizeThe page total transfer size is 13.1 MB, which is more than the coach limit of 3 MB. That is insane and you need to make it smaller.
Avoid having pages that have a transfer size over the wire of more than 3 MB (desktop) and 2 MB (mobile) because heavy pages hurt performance and are expensive for users on metered connections. Reference: HTTP Archive median page weight in 2024 was around 2.7 MB desktop / 2.4 MB mobile, so this rule fires when a page is above the modern median.
imageSizeThe page total image size is 12.9 MB. It's really big. Is the page using the right format for the images? Can they be lazy loaded? Are they compressed as good as they can be? Make them smaller by using https://imageoptim.com/.
Avoid having too many large images on the page. The images will not affect the first paint of the page, but it will eat bandwidth for the user.
cacheHeadersThe page has 3 requests that are missing a cache time. Configure a cache time so the browser doesn't need to download them every time. It will save 41 B the next access.
The easiest way to make your page fast is to avoid doing requests to the server. Setting a cache header on your server response will tell the browser that it doesn't need to download the asset again during the configured cache time! Always try to set a cache time if the content doesn't change for every request.
spofThe page has 5 requests inside of the head that can cause a SPOF (single point of failure). Load them asynchronously or move them outside of the document head.
A page can be stopped from loading in the browser if a single JavaScript, CSS, and in some cases a font, couldn't be fetched or is loading really slowly (the white screen of death). That is a scenario you really want to avoid. Never load 3rd-party components synchronously inside of the head tag.
assetsRedirectsThe page has 2 redirects. 2 of the redirects are from the base domain, please fix them!
A redirect is one extra step for the user to download the asset. Avoid that if you want to be fast. Redirects are even more of a showstopper on mobile.
privateAssetsThe page has 2 requests with private headers. Make sure that the assets really should be private and only used by one user. Otherwise, make it cacheable for everyone.
If you set private headers on content, that means that the content are specific for that user. Static content should be able to be cached and used by everyone. Avoid setting the cache header to private.
cacheHeadersLongThe page has 19 requests that have a shorter cache time than one year (but still a cache time).
Setting a cache header is good. Setting a long cache header (a year) is even better because the asset will stay in the browser cache across visits. For content-hashed URLs (e.g. app.4af2.css) you can safely use Cache-Control: max-age=31536000, immutable. For unversioned URLs that may change, use a revalidating strategy instead.
inlineCssThe page has both inline styles as well as it is requesting 5 CSS files inside of the head. Let's only inline CSS for really fast render.
In the early days of the Internet, inlining CSS was one of the ugliest things you can do. That has changed if you want your page to start rendering fast for your user. Always inline the critical CSS when you use HTTP/1 and HTTP/2 (avoid doing CSS requests that block rendering) and lazy load and cache the rest of the CSS. It is a little more complicated when using HTTP/2. Does your server support HTTP push? Then maybe that can help. Do you have a lot of users on a slow connection and are serving large chunks of HTML? Then it could be better to use the inline technique, becasue some servers always prioritize HTML content over CSS so the user needs to download the HTML first, before the CSS is downloaded.
fewRequestsPerDomainThe page has 1 domain that serves more than 30 requests. al-ihsan.net got 73 requests. Improve performance by sharding those or move to HTTP/2.
Browsers have a limit on how many concurrent requests they can do per domain when using HTTP/1. When you hit the limit, the browser will wait before it can download more assets on that domain. So avoid having too many requests per domain.
imageAltTextThe page has 65 images without an alt attribute. Add alt="..." with a description, or alt="" if the image is purely decorative.
Every <img> needs an alt attribute. Use alt="meaningful description" for content images so assistive technologies can announce them, or alt="" (or role="presentation" / aria-hidden="true") for purely decorative images so they are skipped. A missing alt attribute leaves screen reader users with no information at all. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img#alt
unnecessaryHeadersThere are 80 responses that sets both a max-age and expires header. There are 1 response that sets a pragma no-cache header (that is a request header). There are 84 responses that sets a server header.
Do not send headers that you don't need. We look for p3p, cache-control and max-age, pragma, server and x-frame-options headers. Have a look at Andrew Betts - Headers for Hackers talk as a guide https://www.youtube.com/watch?v=k92ZbrY815c or read https://www.fastly.com/blog/headers-we-dont-want.
thirdPartyThe page do 11% requests to third party domains (9 requests and 216.7 kB). First party is 76 requests and 12.9 MB. The regex .*al-ihsan.* was used to calculate first/third party requests.
Do not load most of your content from third party URLs.
gaThe page is using Google Analytics meaning you share your users private information with Google. You should use analytics that care about user privacy, something like https://matomo.org.
Google Analytics share private user information with Google that your user hasn't agreed on sharing.
referrerPolicyNo <meta name="referrer"> tag was found on the page. Set a Referrer-Policy response header (preferred) or add a meta tag, for example <meta name="referrer" content="strict-origin-when-cross-origin">.
Without an explicit referrer policy the browser falls back to the user-agent default and may leak the full URL of the previous page (including query strings) to every cross-origin request. Set a Referrer-Policy response header (preferred) or a <meta name="referrer"> tag in the document. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
surveillanceThe page embeds 1 resource from companies that profit from user surveillance. Consider privacy-respecting alternatives.
Embedding scripts or iframes from companies whose business model is surveillance capitalism (Google, Facebook, etc.) leaks detailed user data on every page view, often before the user has had a chance to consent. See https://en.wikipedia.org/wiki/Surveillance_capitalism for background. Prefer privacy-respecting alternatives where possible.
contentSecurityPolicyHeaderSet a Content-Security-Policy header to mitigate cross-site scripting attacks. You can start with a Content-Security-Policy-Report-Only header, which only reports violations rather than blocking them.
A Content-Security-Policy response header tells the browser which sources of script, style, and other content are allowed. The most effective form is a strict CSP using nonces or hashes together with strict-dynamic; the worst is a missing header, with unsafe-inline and unsafe-eval close behind. https://web.dev/articles/strict-csp
crossOriginEmbedderPolicyHeaderSet a Cross-Origin-Embedder-Policy header (typically require-corp or credentialless) on the document response to control cross-origin embedding.
Cross-Origin-Embedder-Policy (COEP) makes the page refuse to load cross-origin subresources unless they explicitly opt in via CORP or CORS. Together with Cross-Origin-Opener-Policy it puts the page in a cross-origin isolated context, which mitigates cross-window side-channel attacks (Spectre) and unlocks high-resolution timers and SharedArrayBuffer. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
crossOriginOpenerPolicyHeaderSet a Cross-Origin-Opener-Policy header (typically same-origin) on the document response to isolate the page from cross-origin windows.
Cross-Origin-Opener-Policy (COOP) lets a page sever its window-group ties to cross-origin documents that opened it or that it opens. Together with Cross-Origin-Embedder-Policy it puts the page in a cross-origin isolated context, which mitigates cross-window side-channel attacks (Spectre) and unlocks high-resolution timers and SharedArrayBuffer. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
crossOriginResourcePolicyHeaderSet a Cross-Origin-Resource-Policy header (same-origin, same-site or cross-origin) on the document response to limit who may embed it.
Cross-Origin-Resource-Policy (CORP) is a per-response opt-in that tells the browser which origins are allowed to embed the resource. It blocks cross-origin or cross-site no-cors embedding (img, script, iframe, etc.) and is one of the building blocks of cross-origin isolation. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
nelHeaderSet a NEL header (paired with Reporting-Endpoints) to collect connection-level error reports from the field.
The NEL (Network Error Logging) response header tells the browser to record connection-level failures (DNS, TLS, HTTP errors) and ship them to a reporting endpoint. NEL pairs with the Reporting-Endpoints / Report-To header — the page declares the endpoint group and NEL points at it. Together they give you visibility into errors that never reach your origin server. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/NEL
permissionsPolicyHeaderSet a Permissions-Policy header to control which browser features the page can use.
The Permissions-Policy response header (the successor to Feature-Policy) lets a site explicitly opt in or out of powerful browser features such as camera, microphone, geolocation, payment and clipboard. Setting a strict policy reduces the attack surface and limits what embedded third parties can do. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
referrerPolicyHeaderSet a referrer-policy header to make sure you do not leak user information.
Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. https://scotthelme.co.uk/a-new-security-header-referrer-policy/.
reportingEndpointsHeaderSet a Reporting-Endpoints header (or the legacy Report-To header) so CSP reports, NEL data and other Reporting-API events have an endpoint to land at.
The Reporting-Endpoints response header (the successor to Report-To) names the URLs that browsers should POST reports to. Without it, CSP report-to directives, Cross-Origin-Opener-Policy reports, NEL data and other Reporting-API events have nowhere to go. The legacy Report-To header is still accepted for older Chromium versions. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints
strictTransportSecurityHeaderSet a strict transport header to make sure the user always use HTTPS.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
thirdPartyPrivacyThe page has 7% requests that are 3rd party (6 requests with a size of 208.4 kB). The page also have request to companies that harvest data from users and do not respect users privacy (see https://en.wikipedia.org/wiki/Surveillance_capitalism). The page do 4 surveillance requests and uses 3 surveillance tools. The page do 2 analytics requests and uses 2 analytics tools. The page do 1 tag-manager request and uses 1 tag-manager tool.
Using third party requests shares user information with that third party. Please avoid that! The project https://github.com/patrickhulce/third-party-web is used to categorize first/third party requests.
xContentTypeOptionsHeaderSet X-Content-Type-Options: nosniff on the document response to prevent MIME-sniffing.
X-Content-Type-Options: nosniff prevents browsers from interpreting files as a different MIME type than what is declared in the Content-Type header. This blocks a class of cross-site scripting and content-type confusion attacks and should be set on every response. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Data collected using
Coach-core version 9.2.1. With updated code from
Webappanalyzer 2026-05-04. Use
--browsertime.firefox.includeResponseBodies html or
--browsertime.chrome.includeResponseBodies html to help Wappalyzer find more information about technologies used.
Data collected using Third Party Web version 0.29.2.
When the page main content is rendered, collected via the Largest Contentful Paint API. Read more about Largest Contentful Paint.
body > section#topbar > div > div > div:eq(1) > div > div:eq(1) > p:eq(0)How much the page's content shifts as it loads, collected via the Cumulative Layout Shift API.
Sorted by individual shift score (higher = bigger shift). The top entries usually account for most of the page's CLS.
body > section#topbar > div > divWant render-blocking and recalculate-style metrics for FCP and LCP, plus CPU long tasks? Run with --cpu.
A long animation frame (LOAF) is a frame that took ≥ 50 ms from input to the next paint. The breakdown shows where that time went. Read more about the Long Animation Frames API.
Showing the top 10 longest animation frames.
No script attribution available for this frame.
No script attribution available for this frame.
No script attribution available for this frame.
No script attribution available for this frame.
There are no custom configured scripts.
There are no custom extra metrics from scripting.
How the page is built.
| Content | Header Size | Transfer Size | Content Size | Requests |
|---|---|---|---|---|
| html | 343 B | 38.6 KB | 373.4 KB | 1 |
| css | 1.5 KB | 52.7 KB | 434.5 KB | 5 |
| javascript | 3.2 KB | 288.0 KB | 907.4 KB | 10 |
| image | 23.8 KB | 12.1 MB | 12.3 MB | 63 |
| font | 0 b | 7.7 KB | 7.7 KB | 1 |
| audio | 0 b | 0 b | 219.4 KB | 2 |
| plain | 0 b | 0 b | 0 b | 1 |
| Total | 28.9 KB | 12.5 MB | 14.2 MB | 83 |
| Domain | Total download time | Transfer Size | Content Size | Requests |
|---|---|---|---|---|
| www.al-ihsan.net | 2.558 s | 38.6 KB | 373.4 KB | 3 |
| fonts.googleapis.com | 569 ms | 3.4 KB | 73.4 KB | 1 |
| al-ihsan.net | 13.484 s | 12.2 MB | 13.0 MB | 73 |
| sstatic1.histats.com | 1.266 s | 43 B | 43 B | 1 |
| code.jquery.com | 169 ms | 30.6 KB | 87.6 KB | 1 |
| www.googletagmanager.com | 633 ms | 161.7 KB | 474.5 KB | 1 |
| al-hikmah.net | 190 ms | 8.2 KB | 7.7 KB | 1 |
| al-hikmah.sm40.net | 2.998 s | N/A | 219.4 KB | 2 |
| fonts.gstatic.com | 35 ms | 7.7 KB | 7.7 KB | 1 |
| www.google-analytics.com | 244 ms | N/A | 0 b | 1 |
| type | min | median | max |
|---|---|---|---|
| Expires | 0 seconds | 1 year | 1 year |
| Last modified | 1 hour | 2 years | 35 years |
Render blocking information directly from Chrome.
| Blocking | In body parser blocking | Potentially blocking |
|---|---|---|
| 5 | 0 | 0 |
| URL | Type |
|---|---|
| https://www.googleta...nager.com/gtag/js | potentiallyblocking |
| https://al-ihsan.net...per-bundle.min.js | inbodyparserblocking |
| https://code.jquery....uery-3.6.1.min.js | inbodyparserblocking |
| https://al-ihsan.net...bootstrap.min.css | blocking |
| https://al-ihsan.net...rap.bundle.min.js | inbodyparserblocking |
| https://al-ihsan.net.../glightbox.min.js | inbodyparserblocking |
| https://al-ihsan.net...otstrap-icons.css | blocking |
| https://al-ihsan.net...ets/css/style.css | blocking |
| https://al-ihsan.net...otope.pkgd.min.js | inbodyparserblocking |
| https://fonts.gstati...HgFVrJJfecg.woff2 | nonblocking |
| https://al-ihsan.net...s/animate.min.css | blocking |
| https://al-ihsan.net...work.waypoints.js | inbodyparserblocking |
| https://al-ihsan.net...assets/js/main.js | inbodyparserblocking |
| https://fonts.google...oogleapis.com/css | blocking |
| https://al-ihsan.net...ounter_vanilla.js | inbodyparserblocking |
| https://al-ihsan.net...-form/validate.js | inbodyparserblocking |
Third party requests categorised by Third party web version 0.29.2.
Domains that didn't match any tool in Third party web. If you are sure they are third party domains, please do a PR to that project. You can also fine tune the list using --firstParty.
Calculated using .*al-ihsan.* (use --firstParty to configure).
| Content | Header Size | Transfer Size | Content Size | Requests |
|---|---|---|---|---|
| html | 343 B | 38.6 KB | 373.4 KB | 1 |
| css | 1.5 KB | 49.3 KB | 361.1 KB | 4 |
| javascript | 3.2 KB | 95.7 KB | 345.3 KB | 8 |
| image | 23.7 KB | 12.1 MB | 12.3 MB | 61 |
| font | 0 b | 0 b | 0 b | 0 |
| favicon | 0 b | 0 b | 0 b | 0 |
| Total | 29.4 KB | 12.3 MB | 13.3 MB | 76 |
| Content | Header Size | Transfer Size | Content Size | Requests |
|---|---|---|---|---|
| html | 0 b | 0 b | 0 b | 0 |
| css | 0 b | 3.4 KB | 73.4 KB | 1 |
| javascript | 0 b | 192.3 KB | 562.1 KB | 2 |
| image | 148 B | 8.2 KB | 7.7 KB | 2 |
| font | 0 b | 7.7 KB | 7.7 KB | 1 |
| favicon | 0 b | 0 b | 0 b | 0 |
| audio | 0 b | 0 b | 219.4 KB | 2 |
| plain | 0 b | 0 b | 0 b | 1 |
| Total | 140 B | 211.7 KB | 870.3 KB | 9 |