Caching Score: https://user.au/

What is this check, and why should you care

Having a cache hit ensures the fastest possible delivery of content to end users.

The response header X-Cache had a value of HIT.

Fastly has documentation on how to interpret the X-Cache header.

Maximum possible points

100

What is this check, and why should you care

A cached response is reusable for the duration of its freshness lifetime, defined in RFC 9111 §4.2. The freshness lifetime is taken from Cache-Control: s-maxage or max-age (§5.2), and falls back to the Expires header (§5.3) or a heuristic if neither is set. The longer the freshness lifetime, the higher the cache hit ratio at any given traffic level.

To get maximum points, your cache lifetime must be greater than or equal to 4 weeks. If your cache lifetime is less, then you will get some proportion of the score based on how close to 4 weeks you are.

The current cache lifetime is 2764800 seconds (1 month and 4 days).

You can read more about which headers Fastly uses to indicate the cache lifetime.

Maximum possible points

100

What is this check, and why should you care

Using a CDN is extremely useful for caching purposes.

Maximum possible points

50

What is this check, and why should you care

The time that it takes for a user's browser to receive the first byte of page content.

The lower the TTFB, the faster your site will be perceived by the end user.

To get maximum points, your TTFB must be less than or equal to 30ms. If your TTFB is more than 1 second then you get no points here.

Maximum possible points

50

What is this check, and why should you care

An ETag is an opaque identifier for a specific version of a resource, defined in RFC 9110 §8.8.3. When a client revisits a URL it can send the previously-seen value back in an If-None-Match request header (RFC 9110 §13.1.2); if the server still considers the response current it returns an empty 304 Not Modified instead of the full body, saving bandwidth and origin work.

An HTTP request with the request header If-None-Match with a value of W/"1778118796" was sent, and an HTTP 304 was responded with.

See the Wikipedia page on ETag for more background.

To get maximum points, you need to have ETag identifiers and an HTTP 304 response must be received when using a valid If-None-Match request header.

Maximum possible points

30

What is this check, and why should you care

The Last-Modified response header carries the date the resource was last changed, defined in RFC 9110 §8.8.2. When a client revisits the URL it can send the previously-seen value back in an If-Modified-Since request header (RFC 9110 §13.1.3); if the resource has not changed the server returns an empty 304 Not Modified instead of the full body, saving bandwidth and origin work.

An HTTP request with the request header If-Modified-Since with a value of was sent, and an HTTP 304 was responded with.

Maximum possible points

30

What is this check, and why should you care

Having tiered caching can help improve the cache hit ratio of your site because it provides an additional layer of caching in front of your origin.

Maximum possible points

25

What is this check, and why should you care

HTTP 404 (Not Found) is one of the response status codes that RFC 9110 §15.1 marks as heuristically cacheable, and RFC 9111 §4.2.2 defines the heuristic-freshness rules a cache may apply when no explicit freshness is provided. Caching 404s — even briefly — offloads repeated probes (broken links, scanners, missing assets) from your origin.

To get maximum points, you need to have the ability to cache an HTTP 404 for any amount of time.

This check requested the URL https://user.au/cachingscorebrokenurltest.

Maximum possible points

20

What is this check, and why should you care

HTTP compression reduces the size of a response body by eliminating redundancy. The client advertises supported algorithms in the Accept-Encoding request header, and the server reports which one it used in the Content-Encoding response header — both are defined in RFC 9110 §8.4.

The four common encodings each have their own specification: gzip (RFC 1952), deflate (RFC 1951), br / Brotli (RFC 7932), and zstd / Zstandard (RFC 8878). Smaller responses load faster and use less bandwidth, which especially matters on mobile networks.

The response header Content-Encoding had a value of br.

Fastly has documentation on how to enable automatic compression.

See the Wikipedia page on HTTP compression for more background.

To get maximum points, you need to use Brotli or Zstandard compression.

Maximum possible points

20

What is this check, and why should you care

Drupal 8+ provides an Internal Page Cache module recommended for small to medium-sized websites.

There is extremely limited value in using this module, even when you are using Fastly and having a relatively high cache lifetime of 1 month and 4 days.

To get maximum points, you must have the module page_cache disabled.

See Drupal's documentation on the Internal Page Cache module. Also, Wim Leers wrote a really awesome blog post on the release of this module with important background.

Maximum possible points

20

What is this check, and why should you care

Drupal sets a session cookie (named SESS<hash> over HTTP, or SSESS<hash> over HTTPS) the first time the session is read or written during a request. When a session cookie is present, most reverse proxies and CDNs will bypass their cache entirely for all HTML responses, because the response is considered personalised.

Anonymous page requests should not need a session at all. Contributed modules known to start a session for anonymous users include:

• Smart IP — stores geolocation data in $_SESSION for anonymous users (#1897126).
• Flag — starts an anonymous session as part of determining flag actions (#2894095).
• H5P — creates anonymous sessions even for components that don't need it (#3126134).
• Textsize — stores text size preferences in the session (#1041878).

To get maximum points, the response must not include a SESS or SSESS cookie. If it does, identify which module is starting the session and either disable it, reconfigure it, or find an alternative that does not require a session for anonymous users.

Maximum possible points

10

What is this check, and why should you care

CSS aggregation reduces the number of assets your site needs to download. The filename contains a hash of all the file contents, meaning you can cache these files for an extremely long time with no negative consequences.

Maximum possible points

10

What is this check, and why should you care

Javascript aggregation reduces the number of assets your site needs to download. The filename contains a hash of all the file contents, meaning you can cache these files for an extremely long time with no negative consequences.

Maximum possible points

10

What is this check, and why should you care

Drupal 9.5+ introduces a new debug setting to make it easier to debug render caching. This setting will add cache debugging output for each rendered element.

The main issue with this is that this slows down your page loads (on top increasing your page weight).

To get maximum points, you must disable the render cache debug.

Maximum possible points

10

What is this check, and why should you care

Drupal 7+ provides a Statistics module to which records content view statistics in Drupal's database.

The main issue with this module is that it sends an un-cacheable HTTP POST request to your site to record a 'content view' statistic. This does not scale well as you Drupal site gets more traffic.

To get maximum points, you must disable the statistics module.

Maximum possible points

10

What is this check, and why should you care

Drupal 8+ uses Twig for templating, and the Twig template engine offers a debug tool to which emits out a list of template filenames in the HTML source.

The main issue with this is that you often also have other Twig related performance issues as well, e.g. automatic reloading.

To get maximum points, you must disable Twig debug.

Maximum possible points

10

What is this check, and why should you care

You can increase the cache hit rate of your site by stripping certain query parameters from the cache key.

FBCLID is one such parameter that can be stripped by your caching server. This query parameter only really serves a purpose for Javascript to read, and Javascript can still read it from the browser URL.

You can add this VCL snippet to your Fastly service (in the recv subroutine). Fastly documentation on querystring.filter.

This check requested the URL https://user.au/?fbclid=1778358973.

Maximum possible points

10

What is this check, and why should you care

You can increase the cache hit rate of your site by stripping certain query parameters from the cache key.

GCLID and GCLSRC are two such parameters that can be stripped by your caching server. These query parameters only really serve a purpose for Javascript to read, and Javascript can still read it from the browser URL.

You can add this VCL snippet to your Fastly service (in the recv subroutine). Fastly documentation on querystring.filter.

This check requested the URL https://user.au/?gclsrc=1778358973&gclid=1778358973.

Maximum possible points

10

What is this check, and why should you care

You can increase the cache hit rate of your site by stripping certain query parameters from the cache key.

TTCLID is one such parameter that can be stripped by your caching server. This query parameter only really serves a purpose for Javascript to read, and Javascript can still read it from the browser URL.

You can add this VCL snippet to your Fastly service (in the recv subroutine). Fastly documentation on querystring.filter.

This check requested the URL https://user.au/?ttclid=1778358973.

Maximum possible points

10

What is this check, and why should you care

You can increase the cache hit rate of your site by stripping certain query parameters from the cache key.

UTM is a collection of parameters that can be stripped by your caching server. These query parameters only really serve a purpose for Javascript to read, and Javascript can still read them from the browser URL.

You can add this VCL snippet to your Fastly service (in the recv subroutine). Fastly documentation on querystring.filter.

This check requested the URL https://user.au/?utm_source=1778358973&utm_medium=1778358973&utm_campaign=1778358973&utm_id=1778358973.

Maximum possible points

10

What is this check, and why should you care

There is a SPAM protection module in Drupal called Honeypot.

The honeypot module has a feature that adds a time based hidden form field to forms to protect against bots filling them in too quickly. This is a nice feature, however it happens to disable caching for the entire page. This is terrible for high traffic sites.

It is recommended to disable this time based feature, and only use the core honeypot feature of a hidden input field.

Maximum possible points

5

What is this check, and why should you care

The language_cookie module breaks proxy caching because it makes Drupal’s response vary by a cookie, which most HTTP caches don’t handle efficiently.

The module also has a side effect of breaking Drupal’s page_cache system as well - see the issue #3512070.

To get maximum points, you must disable the language_cookie module.

Maximum possible points

5

What is this check, and why should you care

There are 2 filesystems in Drupal - public files and private files.

Private files force Drupal to bootstrap in order to serve the file, and access control is checked every single time. This is useful for sensitive files, but a hindrance when your site is under high load.

It is recommended to use Drupal's public file system for static, non-sensitive files, and reserve the use of private files for dynamic, or sensitive files.

Maximum possible points

5