Tag: Web Development

Headings and why you should use them

Michiel Heijmans

This is a republish: we’ve made some minor changes to it. We decided to republish it, because this post and its content are still applicable and important now.

This post just had to be written. Somehow we have a chapter about Headings in all (!) our site reviews. Usually the website owner can’t change a single thing about the heading setup of the website, as he is unwilling or just lacks the knowledge to change the theme of the website. But headings do matter.

There are two ways headings can structure your content. In classic HTML, there would be 1 H1 tag on each page, maybe a couple of H2’s etc and these would all combine to form an outline of the entire document.

In HTML5, each sectioning tag (for instance <section> and <article>) starts again with an H1. This was done to make it easier to combine several components onto one page and still have a valid outline. It makes sense from a clearly theoretical perspective, but it’s lots harder to understand and we generally recommend against using it. This article explains what’s “wrong” with it.

Structuring the entire page

In the case of HTML4, it seems logical to use one H1 per page, of course being the main title of that page. In most cases, that’s not your brand name or website name (on your homepage it probably is, and that’s fine). On this page on yoast.com, it’s “Headings and why you should use them”. That is what this content is about. I’m not going to talk about Yoast here, so no need to make that the H1, right? Here’s what Matt Cutts has to say about it:

On a category page that H1 would be the category name and on a product page the product name. It’s not that hard, indeed. That is why we still recommend using the H1 this way.

H2 is for subheadings of that H1. Use it to divide content into scannable blocks; both Google and your visitor will like it. H3 is for subheadings of that H2, preferably. Sometimes I use H3 for blocks that should be H2, but just don’t hold that much information for the visitor, like the closing heading on this post, where I will ask you to comment on my statements – perhaps you don’t agree and we could have a nice discussion about that ;-)

I want to emphasize that this all isn’t new. Over the last six or seven, maybe even more years, not much has changed in the way we recommend using headers.

Without headings, it is all Chinese

Without headings, it is all Chinese

What I dislike most, is when people use headings to style certain elements of a website. “Call us at 0123456789″ and use H1 to style the phone number. Your web designer knows better than that. Have him add a class to your CSS file for that. Even Google’s SEO Starter Guide mentions this. Second, when people just squeeze an entire paragraph in an H2 or H3. That happens more often than you think. Sales pages or landing pages love that practice. We don’t.

Look what headings we found in the attic

Have you used any H4s, H5s or H6s lately? Alright, using an H4 could be useful if your text is longer than a 1,000 words and you want to add an extra layer in the page structure. And the H4 could be used for sidebar or footer headings that don’t include that keyword you want to rank for, but any other use of these headings seems unnecessary. Funny thing is that a lot of themes just did not pay that much attention to these headings as well, sometimes making H5 text smaller than paragraph text.

You should style them to make them look more important than regular text, but don’t overdo this. These headings are extras, I think. Used in the early days of the internet, but more and more useless these days. I wouldn’t mind if we would get rid of at least H5 and H6 altogether, to be honest. Using three, four headings at most is structure enough for me.

Headings and SEO

You are going to ask this: what value do headings have for SEO? Well, we feel that the value is less than it was, but headings still help Google to grasp the main topics of a long post. As mentioned, Google might scan your post as well and why not make that as easy as possible?

There are other things like great content and schema.org markup that will help your rankings more than a great heading structure, but in the end, using a nice heading structure isn’t that hard and helps your visitors as well. So please, at least use a heading structure and the way we described it above is easy enough for everyone to use.

What are your  thoughts on headings?

As promised: we are really looking forward to your thoughts on headings. They should be in any theme, but to what extent? Drop your 2 cents in the comments!

This post first appeared as Headings and why you should use them on Yoast. Whoopity Doo!

Moving your website to https / SSL: tips & tricks

Joost de Valk

HTTPS EverywhereIn January I wrote about our plans in moving Yoast.com to SSL. We’ve since done that, with great results from an SEO perspective: we had no negative effect on traffic, whatsoever. Two weeks ago, we also moved our tool Quix to https. There are quite a few things we learned in the process of moving these two sites to SSL that we thought would be worth sharing with all of you. Also, some things happened in the last few weeks that make SSL a hot topic, so we’ll discuss those first.

Ranking benefit for completely SSL sites?

Last month, Search Engine Land reported that Matt Cutts had said about SSL that he’d “personally love to make it part of the ranking algorithm”. The Wall Street Journal picked up on this two days ago. Whether or not this actually happens (or, perhaps, has already happened) doesn’t really make much of a difference to me. A completely SSL site looks more trustworthy than a non-SSL one [reference needed].

From a spam fighting perspective I think I can see why Matt would like it. I don’t think many spam network creators would go through the hassle of setting up SSL for all their sites and buying certificates for all of them. The cost would soon become higher than the profit in many niches.

Heartbleed

The recent Heartbleed debacle (if you don’t know what it is, read this and / or this simple explanation) showed us once again how vulnerable the web can be. The good thing about it is that when you think about people being able to “listen” to your web traffic, you suddenly realize it might actually make sense to encrypt a whole lot more of it.

Moving your site to https

In moving yoast.com completely to https / SSL we figured out there’s a few things you need to be aware of:

  • All of your internal links should start to use https, not just to pages, but for images, JavaScript, CSS, etc. This means going through your theme with a fine comb and cleaning all of those up. Of course you can have your web server redirect http to https (more on that below), but not having to do the redirect is a lot cheaper.
  • Your CDN needs to support SSL too. Of course, we use and love MaxCDN and they can set up SSL for your CDN subdomain very easily.
  • SPDY, a networking protocol primarily developed by Google that you can enable for SSL traffic, is awesome. It makes your website faster and funnily enough that means that your fully SSLed site could actually be faster for those people who visit your site with modern browsers than your plain http site.
  • Not all SSL setups are equally safe. Once you’ve set up your site with SSL, it’s important to then make a conscious decision about how safe you want your traffic to be and act on that, more below.
  • You will need a static and unique IP for your site. This is “logical” if you know how SSL works, but it also means that most shared hosting servers won’t allow you to do this. – As mentioned by David in the comments: if your server supports Server Name Indication you don’t even need a dedicated IP.

https & SSL Web server config

Because yoast.com is hosted on Synthesis, we didn’t have to do much to allow for SSL with full support for SPDY, as they took care of all the details for that, which is only part of the reason we love them. For Quixapp.com we had to do it ourselves, which meant re-compiling our NGINX with SPDY support and a few more bits and bobs. For most people it’s probably a better choice to either go with a smart hosting provider like Synthesis or hire someone to do this for you. If you’re not sure whether your current setup supports SPDY, you can use spdycheck.org to check, or simply type spdy in Quix.

We did tweak our setup quite a bit though, as SSL can require more resources on your server and not setting it up properly could lead to load issues and delays. Below are the specific lines from our NGINX config related to the SSL session cache:

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

The next thing to tweak are the available ciphers. If you’re implementing this, I’d suggest referring to this article about hardening your web servers SSL ciphers as it explains in detail some of the settings below. That article is kept up to date so it’s better to check that than the code below, but for reference, this is what we currently use on yoast.com:

ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Add-on: OCSP Stapling

In the comments there was a question from Jesin about whether we’d implemented OCSP stapling. We hadn’t, simply because I didn’t know what it was. I looked it up and saw several very positive mentions of the topic, for instance this CloudFlare post, so I implemented it straight away.

It means that you sent status info about your certificate along with the request, instead of making the browser check the certificate with the Certificate Authority. This removes a large portion of the SSL overhead, the CloudFlare post above explains it in more detail.

I used this guide, but it’s very easy, just add this to your NGINX config (this uses Google’s DNS for resolving and assumes your certificate file contains the entire certificate chain):

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

Strict Transport Security header

One of the other cooler things you can do is add a Strict Transport Security header. This will force the browser to load all subsequent requests from the same host over https, even when you’ve linked to http.

In NGINX, you add this like this:

# This forces every request after this one to be over HTTPS
add_header Strict-Transport-Security "max-age=31536000";

For other servers, including Apache, check the WikiPedia page on the Strict Transport Security header, more specifically the implementation section. Note that if you run subdomains, you could also add those, but unfortunately not ALL our subdomains are on SSL yet, so we haven’t been able to do that yet. Luckily, our friends at MaxCDN were nice enough to turn it on for us.

BTW if you’re wondering why I use MaxCDN, their new tools site shows nicely how fast the already blazing fast yoast.com is in comparison to cdn.yoast.com, which is running at rocket speed, compare the two here. That tool is pretty useful to compare two sites in speed.

SSL test

qualys ssl a+ ratingIf you’ve done the above correctly, you should be able to pass the Qualys SSL test with flying colors, we sure do. If you use Quix, you can run that test on any domain simply by typing the command ssltest. I think you should aim for at least A in this test, though A+ is easily achievable when you add the above Strict Transport Security header.

Redirect from http to https

This last bit will help you tremendously when you’ve not updated every single link in your site yet. You can just add a straight server level redirect from http to https. In NGINX, we do this by having two servers defined in our config, the “right” one, that listens on port 443 and a simple one that listens on port 80 (normal http) and has just this:

server {
listen 80;
server_name yoast.com www.yoast.com;
return 301 https://yoast.com$request_uri;
}

This seems to be the fastest way of doing this in NGINX, in Apache you’d do something like this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

What type of SSL certificate should you get?

In my opinion, if you’re going to invest serious time in doing this, it’s only worth it when you make sure you get the maximum benefit. With Extended Validation certificates you get the green address bar, which is what you want:

extended validation SSL certificate

If you think that’s expensive, think again. For instance here at Namecheap an EV SSL cert could cost you as little as $139 a year, so go for that but be sure to check their different offers if you have multiple domains. Of course if you’re cheap you could get just a domain validation certificate which would cost you like $9 a year.

So… Should you move your website to https?

If you’re a web shop or otherwise transactional website you probably already have SSL for your checkout. If so, moving your entire website to https makes a LOT of sense to me, it’s probably actually easier to maintain and makes sure that you’re doing everything to make sure your SSL traffic (and thus the most important section of your site) is as fast as possible.

If you’re a purely informational website you might not need to make the move, but if some of that information could be privacy sensitive, I think it’d be a good idea to implement SSL anyway.

Would love to hear your ideas on moving your website to https and SSL in the comments!

This post first appeared on Yoast. Whoopity Doo!

Breaking up responsive design

Michiel Heijmans

Over the last couple of weeks I have been dealing with the fine art of CSS. Although that is not my daily business anymore – because I lead the website review team here at Yoast – I really enjoyed mastering SCSS and using that for an actual design. During this field trip, I encountered several front end discussions about responsive web design that intrigued me. They actually fascinated me enough to write this post and invite you to share your thoughts about these issues in the comments. We will all benefit by sharing experience, right?

I’m not Will Hunting, I’m not the only one being able to solve this issue, so I will just write down the steps I took in styling a responsive website for all devices. And am looking forward to your thoughts on this.

First tracks

The first thing I wanted to overcome was the issue of relative font sizes. What would be the best practice and why? As rem seems to be the standard these days, that decision was quickly made. First declare pixels for older browsers, than rem for current browsers.

Being old school, I have been scaling down the browser base font (16 pixels in most cases) to 62.5% for a couple of years now. It is just so much easier calculating up and down from 10 pixels, right? Of course that would mean using a font size of 16 pixels for paragraphs would lead to this CSS:

p {
  font-size: 16px;
  font-size: 1.6rem;
}

Oh the simple things. But this actually made my browser (Chrome for Mac) show a 1.6 * 16 = 25,6 pixel font before showing the 16 pixels I intended it to be. I wouldn’t put my finger on why this was happening, so I just decided to see how Jeremy Keith was doing this. Ever since Reboot 8 (Copenhagen) I have been following this man from a distance, as he seems to be the no-nonsense guy that just does things the right way. His website does not use the 62.5% ‘hack’, but simply calculates rem font sizes from the 16 pixels standard. The simplest things are usually the best. And yes, I did change my entire stylesheet to match that method. Luckily for me I used a separate SCSS file for font sizes, so this really was a ten minute change ;)

Padding and margin

Second stop was padding and margin. I have been going over this a couple of times, trying to decide on what to use for this: px, em or rem. I must have read a dozen articles on the topic. Of course there are always purists that tell you to always use em for this, but my conclusion was that, as for now, it really does not matter. You just want your white space to look right on all screen sizes. I decided to stick with pixels, as it is just the clearest, most easy way to do this.

There is just one exception in my book: padding-bottom for things like paragraphs and list, perhaps even headings. I use em for that. That might be a personal legacy, or something I an used to, but it seems to make sense to relatively calculate the whitespace below relatively sized elements, as a factor of that element (so using em).

Design your mobile website

With all element dimensions set, I took up the almost impossible task to decide where my design was going to change into the mobile design it should be. I think that is actually step one in responsive design: design the mobile version of your website. Don’t just take the website, reduce browser width to 320 pixels and see how you can make that look good.

Seriously, sit down and try to paint the mobile picture for your website. And all elements in it you can think of. Using Genesis and building plugins ourselves, this meant adding a gazillion (OK, perhaps a little less than that) widgets to a sidebar, scratch that, to all sidebars and styling these one by one.

It will make sure you forget as little as possible. Even writing this post made me realize I forgot one or two widgets, so keep in mind that this is of course also an ongoing process.

With the mobile and regular site designed, it is time to decide where to break your design for different devices.

Breaking up is hard to do

There are two ways to go:

  1. Breaking up the design using em’s
  2. Breaking up the design using pixels

Now note that this is not an exact science. As designs differ, these breaking points differ. Again, in my book. Looking forwards to your thoughts and ideas.

Relative breakpoints

The main idea behind using em’s is pixel independency. At the moment, that usually means 1024 pixels is replaced by 1024/16 = 64em. Vasilis van Gemert did an interesting article on Smashing Magazine on these breaking points earlier this year. It also deals with questions like what we should call them (I really don’t care about how we call them, to be honest) and how we could add columns to a layout using responsive design.

Responsive does not always mean showing one TwixRegarding that last one: that is a really nice extra, but I’m dealing with a blog design here. There is no left Twix, there is just the entire two-piece Raider inside the wrapper: main content and sidebar.

I’m under the impression we have been given tools and feel the need to use all. But when hammering one piece of wood to another for a client, you just need a hammer and nails. In most cases, you do not need a power drill. Your client probably has not even thought of doing things this way. Adding extras should not be a billable hour filler without an actual purpose.

In the article, I especially like the sentence: “If the user prefers a bigger font, then the layout would always be optimized in a way that’s relative to the font size.” I like it because I partly agree. And mainly because it is food for thought. It’s a starting point for nice projects like Marko Dugonjić. But would that work in my real world?

I want a design to look nice and readable on all devices. Vasilis also makes a great, valid point about the length of a sentence, that I wanted to take in account. It simply should be an easy read. The eye can’t cope with long lines, in most cases. I don’t agree with the mentioned conclusion “If you start with a small screen and you grow it, every time the width of the main content grows wider than either 75 characters or 10 words, something should happen. Simply said, these are your breakpoints.” I have been thinking about this when styling a full width page and just decided, after a quick word with our designer, not to make that full width actually full width, but just limited the width of an inner <div> within the main content <div>. But this really is your call. This is simply how we decided to do it.

Absolute breakpoints

As there does not seem to be a fixed set for relative breakpoints, I decided to go with absolute breakpoints instead. Using pixels, you can easily determine where you want the design to break. No calculating, just simple measuring and responding to what the design does.

Most designs are not that complex, column wise, so styling them nicely towards a mobile version is not that hard, just make sure to check every variation possible in your page layout.

iOS Resolution Reference by Ben Lew

iOS Resolution Reference by Ben Lew – see iosres.com for more details

I decided on three screen widths to start with:

  • 1024 pixels
  • 640 pixels
  • 320 pixels

That’s a regular iPad (landscape), an iPhone 5 and up (landscape) and an iPhone (not retina, portrait). Yes, we like Apple here at Yoast. But we also test on other devices, don’t worry ;) I just needed some starting points, on which I would check what design changes where necessary.

The rest is pretty simple. Set your browser to that width, add a media query like this to your stylesheet:

@media (max-width:1024px) {
  div.content {
    width:67%;
  }
  div.sidebar {
    width:25%;
  }

No, these are not exact numbers. Of course the percentages make sure the <div>s are more flexible. Of course you also play with your browser width when styling your responsive website. It’s just easier like that. But let’s not go into those details. Let’s discuss these breakpoints some more.

Now this might be a personal issue, but I think there is nothing wrong with adding multiple media queries to a stylesheet. If you have read or written an article on how adding multiple media queries affects site speed, I’d love to read that, please drop a link in the comments below.

For me, these three breakpoints work like a charm. I have to make a sidenote though: the design has a max width of 1280 pixels, which spreads the breakpoints nicely over the range desktop to mobile.

I do think that, apart from the three breakpoints I mentioned, you should be specific about what width you are targetting, so using a media query like @media (min-width:855px) AND (max-width:1024px) { ... } is totally alright. There will always be gaps to fill in between these breakpoints, and as mentioned earlier, I want a design to look nice and readable on all devices. Now it does.

In conclusion

So, taking all things in consideration, these are the outcomes of me building a responsive template:

  • Use rem for font sizes and calculate these from the browser default, usually 16px,
  • use whatever seems appropriate for padding and margin, which in my case is usually pixels for most block elements and em for whitespace related to text, and
  • use pixels to set breakpoints.

Regarding these breakpoints: you should test that. See what works for your design. That brings me to my final question:

What are your experiences with responsive design? At what width have you set your breakpoints and more important: are these fixed sizes for all designs or do you set them again for each new website?

Please add your experiences in the comments below.

This post first appeared on Yoast. Whoopity Doo!

Why you should not use autocomplete

Joost de Valk

Several updates to this post below!

Today at Pubcon Matt Cutts of Google once again promoted the use of autocomplete-type, a new property for web forms that works in Chrome (and possibly other browsers, I haven’t checked). Google first introduced it back in January 2012 in this post. I wanted to do this quick post to tell you to turn off autocomplete in your browser.

This test URL will show you why quicker than I can explain it in words. Please try it and come back. If you’re using autocomplete to, for instance, sign up for an email newsletter, you might have just provided that website with your full address and/or (even worse) your credit card details too. It’s as simple as adding the fields to the form and hiding them from the user…

So: turn off autocomplete until your browser has better controls on what gets autofilled.

How to turn off autocomplete in Chrome

In Chrome, go to your Settings, click Advanced, then make sure the top box here (that is checked in the screenshot) is NOT checked:

disable-autocomplete

Post Updates

  • It turns out Matt was talking specifically about requestAutocomplete, which is altogether different. This blogpost explains it best, go read it, as it’s rather cool. It effectively deals with the problem shown above by showing you what will be autocompleted! However, as you can see in the test above, you’re still vulnerable right now if you use “normal” autocomplete.
  • Safari is just as vulnerable to what I showed above as Chrome is. In fact, autocomplete is on by default in it:
    safari autofill
  • Filling credit card info requires you to focus on a credit card specific field that is not the credit card name field. This makes this feature inherently more safe, but it still means you could retrieve your personal address and much more when all you thought you were giving out is your email address or name.

This post first appeared on Yoast. Whoopity Doo!