Glossary
Plain-language definitions of web performance, accessibility, SEO, and security terms used across BeaverCheck audits.
Accessibility
- Alt Text
- The `alt` attribute on `<img>` describing the image's content or function; required by WCAG for every meaningful image.
- ARIA
- Accessible Rich Internet Applications -- a W3C spec providing roles, states, and properties to communicate semantics to assistive technology.
- ARIA Landmarks
- Semantic regions of a page (`<main>`, `<nav>`, `<aside>`, `<header>`, `<footer>`) that screen readers expose as a navigable list.
- autocomplete attribute
- An HTML attribute on form inputs that declares the input's purpose so browsers and password managers can auto-fill the field with the user's stored data.
- Contrast Ratio
- The luminance ratio between text and its background; WCAG AA requires 4.5:1 for body text, 3:1 for large text and UI components.
- Focus Management
- Ensuring keyboard + assistive-tech users can see and follow which element currently has focus, and that focus moves predictably as the UI changes.
- Heading text quality
- The substantive merit of heading content -- whether headings convey actual information vs being placeholders, generic CMS defaults, or misformatted paragraphs.
- inputmode attribute
- An HTML attribute on form inputs that tells mobile browsers which on-screen keyboard layout to show -- numeric pad, telephone dialpad, email keyboard, etc.
- Keyboard Navigation
- Operating a website using only the keyboard (Tab, Shift+Tab, Enter, Space, arrow keys) -- required by WCAG 2.1.1 for every interactive element.
- lang attribute (HTML)
- An HTML attribute (`lang="X"`) that declares the language of an element's content. Required on `<html>` for WCAG 3.1.1; supported on any element to mark language-of-parts (WCAG 3.1.2).
- RTL (right-to-left layout)
- Layout direction for languages written right-to-left (Arabic, Hebrew, Persian, Urdu, etc.). The browser mirrors layout (text alignment, scroll direction, list bullets, form positions) when `dir="rtl"` is set.
- Screen Reader
- Assistive software that converts on-screen content (text, images via alt text, structure via semantic HTML) into synthesised speech or refreshable Braille.
- Semantic HTML
- Using HTML elements according to their intended meaning (`<button>` for buttons, `<nav>` for navigation) rather than generic `<div>` and `<span>`.
- Skip Links
- Hidden anchor links at the top of a page (revealed on focus) that let keyboard users jump past repeating navigation directly to the main content.
- viewport meta tag
- A `<meta name="viewport">` tag that controls how mobile browsers scale and lay out the page. The default is desktop-width (~980px); the standard mobile-first declaration is `width=device-width, initial-scale=1`.
- Web Content Accessibility Guidelines
- The W3C standard defining how to make web content accessible to people with disabilities -- WCAG 2.2 is the current version.
Performance
- @import (CSS)
- A CSS at-rule that imports another stylesheet from inside an existing one. Performance anti-pattern: chains an extra round-trip before the imported sheet starts downloading.
- app deep linking (smart banners)
- Meta tags (`apple-itunes-app`, `google-play-app`) that opt sites into platform-specific 'open in app' UX -- iOS Safari smart banner and Android Chrome native install prompt.
- async / defer (script attributes)
- Two `<script>` attributes that change when and how the script blocks the parser. `async` runs whenever it's ready; `defer` waits until parsing completes; neither blocks HTML parsing.
- AVIF
- A modern image format derived from the AV1 video codec, offering 30-50% smaller files than WebP and 50-80% smaller than JPEG at similar quality.
- Cache-Status header (RFC 9211)
- A standardized response header (`Cache-Status`) for CDNs and proxies to communicate per-hop cache state to debugging tools and observability platforms. Replaces vendor-specific `X-Cache` patterns.
- Core Web Vitals
- Google's three user-experience metrics (LCP, INP, CLS) that are confirmed Google Search ranking signals.
- Critical Rendering Path
- The sequence of steps the browser takes from receiving HTML to painting pixels: parse HTML -> build DOM -> build CSSOM -> apply styles -> layout -> paint -> composite.
- Cumulative Layout Shift
- A Core Web Vital measuring how much visible page content shifts unexpectedly during loading.
- dns-prefetch
- A resource hint (`<link rel="dns-prefetch">`) that asks the browser to resolve a future-needed domain's IP address ahead of the actual request.
- document.write()
- A legacy JavaScript API that writes content directly into the HTML stream during parsing. Disables Chrome's preload scanner on slow connections; major performance anti-pattern.
- First Contentful Paint
- The time from when the page starts loading to when any text, image, or non-blank canvas first renders.
- First Input Delay
- A retired Core Web Vital that measured the delay before the first user interaction was processed; replaced by INP in March 2024.
- font-display
- A CSS `@font-face` descriptor that controls how text is rendered while a custom web font is downloading. `swap` shows fallback text immediately, eliminating Flash of Invisible Text (FOIT).
- Interaction to Next Paint
- A Core Web Vital measuring the latency from a user interaction to the next visible frame -- replaced FID in March 2024.
- Largest Contentful Paint
- The time it takes for the largest visible element above the fold to appear on screen, used by Google as a Core Web Vital.
- preconnect
- A resource hint (`<link rel="preconnect">`) that asks the browser to perform DNS, TCP, and TLS handshakes against a future-needed origin ahead of the actual request.
- prefetch
- A resource hint (`<link rel="prefetch">`) that tells the browser to fetch a resource for a likely *future* navigation, when the network is idle.
- preload
- A resource hint (`<link rel="preload">`) that tells the browser to fetch a critical resource immediately, before the parser would otherwise discover it.
- PWA (Progressive Web App)
- A web app that meets installability criteria (web app manifest + service worker + HTTPS) so users can install it like a native app and use it offline.
- Render-Blocking Resources
- Scripts and stylesheets the browser must download + parse before it can paint the first frame -- the dominant cause of poor FCP.
- Service Worker
- A JavaScript file that runs in a background thread, intercepting network requests from the page. The foundation of offline support, push notifications, and background sync in modern web apps.
- Speed Index
- A Lighthouse lab metric measuring how quickly the contents of a page are visibly populated.
- srcset
- An attribute on `<img>` and `<source>` that lists multiple image URLs along with the resolution or viewport conditions under which each is appropriate, letting the browser pick the best fit.
- Time to First Byte
- The time from a navigation request to the first byte of the response arriving from the server.
- Time to Interactive
- A Lighthouse lab metric for when the page becomes fully interactive -- main thread idle for 5+ seconds.
- Total Blocking Time
- A Lighthouse lab metric summing the time the main thread was blocked by long tasks between FCP and TTI.
- Vary header
- A response header (`Vary: <header-name-list>`) that tells caches which request headers the response varies on, so different variants of the same URL can be cached separately.
- Web App Manifest
- A JSON file (typically `/manifest.json` or `/site.webmanifest`) declaring the app's name, icons, theme color, and display mode. Drives the PWA install prompt and the standalone window's chrome.
Security
- BIMI
- Brand Indicators for Message Identification -- a DNS record pointing to a brand logo SVG that supporting mail clients display next to authenticated messages.
- Bot challenge
- An interstitial page (CAPTCHA, JavaScript proof-of-work, or hard block) served by a bot-protection vendor when a request looks automated. Returns a few KB of vendor HTML instead of the real site content.
- Cloudflare challenge platform
- The JavaScript runtime Cloudflare loads from `challenges.cloudflare.com/cdn-cgi/challenge-platform/...` to fingerprint the browser and decide whether to let the request through. Powers the 'Just a moment...' interstitial.
- CMP (Consent Management Platform)
- A vendor-supplied JavaScript widget that displays the cookie / consent banner, records the user's choice, and exposes that choice to other scripts so they know whether to load tracking.
- Content Security Policy
- An HTTP response header (`Content-Security-Policy`) declaring which script, style, image, and other resource origins the browser is allowed to load -- the primary defence against XSS.
- Cookie name prefixes
- The `__Host-` and `__Secure-` cookie name prefixes that browsers enforce as a binding contract: cookies with these names are silently rejected unless they meet specific Set-Cookie attribute requirements.
- CORS
- Cross-Origin Resource Sharing -- a browser security mechanism using HTTP headers (Access-Control-Allow-Origin, etc.) to control which origins may read responses from a different origin.
- CSRF token
- A unique secret value embedded in HTML forms (typically as a hidden input) that the server validates on POST. Defends against Cross-Site Request Forgery -- an attacker can't submit a form from another origin without knowing the token.
- DKIM
- DomainKeys Identified Mail -- a cryptographic signature attached to outbound mail headers, validated by receivers via a public key published in DNS.
- DMARC
- Domain-based Message Authentication, Reporting and Conformance -- a DNS policy that tells receivers what to do when SPF or DKIM fails for a message claiming to be from your domain.
- GraphQL introspection
- A GraphQL feature that lets clients query the server for its complete schema -- every type, field, argument, and resolver name -- via a special `__schema` query.
- HSTS
- HTTP Strict Transport Security -- a response header instructing browsers to use HTTPS for the domain for a fixed duration, preventing protocol downgrade.
- HTTP 451 Unavailable For Legal Reasons
- HTTP status code (RFC 7725) indicating the requested content is blocked in the requesting client's jurisdiction. The number is a deliberate reference to Ray Bradbury's *Fahrenheit 451*.
- HTTPS
- HTTP over TLS -- the encrypted version of HTTP that protects request and response data from network observers and tampering.
- IAB TCF (Transparency & Consent Framework)
- An industry-standard protocol from IAB Europe for communicating cookie consent state across the ad-tech supply chain via the `__tcfapi()` JavaScript API and the `euconsent-v2` cookie.
- Mixed Content
- An HTTPS page loading a sub-resource (script, stylesheet, image, iframe) over HTTP -- a security issue browsers either warn on or block.
- MTA-STS
- SMTP Mail Transfer Agent Strict Transport Security -- a two-part DNS + HTTPS policy that forces inbound mail to be delivered over TLS, preventing downgrade attacks.
- OAuth / SSO
- Single sign-on (SSO) via OAuth 2.0 / OpenID Connect: users sign in with an existing account at an identity provider (Google, Apple, Microsoft, GitHub, etc.) instead of creating a new password on your site.
- OpenAPI
- A standardized JSON or YAML format for describing HTTP APIs -- endpoints, parameters, request bodies, response shapes, authentication, etc. Formerly known as Swagger.
- Permissions-Policy
- A response header (W3C-spec) that disables powerful browser features (camera, microphone, geolocation, payment, USB, etc.) for the page and any embedded iframes. Successor to the deprecated Feature-Policy header.
- Referrer-Policy
- An HTTP response header (`Referrer-Policy: strict-origin-when-cross-origin`) controlling how much URL information the browser sends in the `Referer` header on outbound navigations.
- SameSite cookie attribute
- A Set-Cookie attribute that controls whether the cookie is sent on cross-site requests. Values: Strict, Lax, None (with Secure required).
- SPF
- Sender Policy Framework -- a DNS TXT record at the apex domain that lists which IPs and hostnames are authorized to send email on behalf of the domain.
- Subresource Integrity
- An attribute (`integrity="sha384-..." crossorigin="anonymous"`) on `<script>` and `<link>` tags letting browsers verify that a third-party CDN-served asset hasn't been tampered with.
- TLS-RPT
- SMTP TLS Reporting -- a DNS TXT record telling sending MTAs where to deliver aggregate reports about TLS-handshake failures and MTA-STS policy violations.
- tracking pixel / tracker SDK
- A tiny piece of JavaScript or a 1x1 image loaded from a third-party domain that records visitor behavior for analytics, advertising, or session-replay purposes.
- X-Frame-Options
- An HTTP response header (`X-Frame-Options: DENY` or `SAMEORIGIN`) telling browsers whether the page is allowed to be embedded in an `<iframe>`. Primary defense against clickjacking.
SEO
- 301 Redirect
- An HTTP `301 Moved Permanently` response telling browsers and search engines that a URL has permanently moved to a new location.
- BCP 47
- The IETF standard for language tags -- the format you put in HTML `lang=`, `hreflang=`, and HTTP `Content-Language` headers. Examples: `en`, `en-US`, `zh-Hans`, `de-CH`.
- Canonical URL
- The preferred URL of a page when duplicate or near-duplicate content exists, declared via `<link rel="canonical" href="...">`.
- hreflang
- An HTML attribute (`<link rel="alternate" hreflang="en-US" href="...">`) telling search engines which language and region each version of a page targets.
- JSON-LD
- JavaScript Object Notation for Linked Data -- the JSON-based format Google and other search engines prefer for embedding structured data (`<script type="application/ld+json">`) in HTML pages.
- lastmod (sitemap)
- An optional `<lastmod>` child element on a sitemap `<url>` entry that tells crawlers when the page last changed -- used to prioritize crawl budget toward genuinely-updated content.
- Lorem ipsum
- Latin placeholder text used by designers and developers when real content isn't available yet. Finding it on a live production page indicates a deploy bug -- the placeholder was never replaced.
- Meta Description
- An HTML meta tag providing a brief summary of a page's content, often used by search engines as the SERP snippet.
- Mobile-First Indexing
- Google's policy of using the mobile version of a page as the primary version for indexing + ranking; in effect for nearly all sites since 2023.
- Open Graph
- A protocol (originally from Facebook) for declaring how a URL should appear when shared on social platforms, via `<meta property="og:...">` tags.
- Open Graph image dimensions
- Recommended pixel dimensions and aspect ratio for the `og:image` meta tag. Facebook/LinkedIn render shares using a 1.91:1 aspect ratio (~1200×630); Twitter's `summary_large_image` card uses 2:1. Wrong dimensions cause ugly cropping in shares.
- rich results
- Enhanced search-result presentations (sitelinks search box, FAQ accordion, breadcrumb trail, product card with price + rating, recipe card, etc.) that Google renders for pages with eligible structured data.
- robots.txt
- A plain-text file at the site root telling crawlers which paths they may or may not request, following the Robots Exclusion Protocol.
- Sitemap
- An XML file (typically `/sitemap.xml`) listing every indexable URL on a site, used by search engines to discover content.
- sitemap index
- An XML file that lists multiple sitemap URLs (`<sitemapindex>` root) -- the canonical way to publish more than 50,000 URLs without exceeding the protocol per-file cap.
- Soft 404
- A page that returns HTTP 200 (success) but renders 'page not found' template content. Search engines treat the response as real indexable content because the status code lies, polluting search results and wasting crawl budget.
- Structured Data
- Machine-readable metadata in JSON-LD, microdata, or RDFa that helps search engines understand a page's content -- typically using the schema.org vocabulary.
- Title style
- The format consistency, freshness, and keyword balance of the page title text. Distinct from title length -- a 50-char title may still be poorly styled (mixed separators, repeated keywords, stale year).
- x-default hreflang
- A special hreflang value (`<link rel="alternate" hreflang="x-default" href="...">`) marking the URL search engines should serve to users whose language / region matches none of your other hreflang entries.
Web technology
- CDN
- Content Delivery Network -- a distributed network of edge servers that cache and serve content from a location physically close to the requesting user.
- charset declaration
- A `<meta charset>` tag (or `Content-Type` HTTP header) that tells the browser which character encoding the document uses. Must appear in the first 1024 bytes of HTML.
- DNS
- Domain Name System -- the distributed directory translating human-readable hostnames (example.com) into IP addresses (93.184.216.34).
- doctype declaration
- The first line of an HTML document (`<!DOCTYPE html>`) that tells the browser to use HTML5 parsing rules and standards-mode rendering instead of legacy quirks mode.
- HTTP/2
- The 2015 update to HTTP that introduced binary framing, multiplexing, header compression, and server push -- delivering multiple resources over a single TCP connection.
- Lazy Loading
- Deferring the load of below-the-fold images and iframes until the user scrolls them near the viewport, via `loading="lazy"` on `<img>` and `<iframe>`.
- Maintenance mode
- A site state where the application is taken offline for scheduled updates, typically with a placeholder page returned to all visitors. Should return HTTP 503 with a `Retry-After` header so browsers and search engines treat the response as transient.
- TLS
- Transport Layer Security -- the cryptographic protocol that secures HTTPS, encrypting traffic between client and server and authenticating the server's identity.
- WebP
- A modern raster image format developed by Google offering ~25-35% smaller file sizes than JPEG / PNG at equivalent visual quality.