The StackOptic Blog

Practical guides on identifying website technologies, SEO and GEO, web performance and lead generation — from the team behind StackOptic.

First Contentful Paint — the FCP loading metric explained
Web Performance

What Is First Contentful Paint (FCP)?

First Contentful Paint marks when a page first shows content. What FCP is, what is good, how it differs from LCP, what causes a slow score, and how to fix it.

25 May 20269 min read
Resource hints: preload, prefetch and preconnect explained with examples
Web Performance

How to Use preload, prefetch, and preconnect (Resource Hints)

Resource hints tell the browser what to fetch and connect to early. When to use preconnect, dns-prefetch, preload, prefetch and modulepreload, and the pitfalls.

25 May 202610 min read
Optimising CSS to speed up rendering and improve FCP and LCP
Web Performance

How to Optimize CSS for Faster Pages

CSS is render-blocking, so bloated stylesheets delay your page. How to minify, cut unused CSS, inline critical CSS and defer the rest to speed up FCP and LCP.

25 May 202610 min read
Browser caching and the HTTP headers that control how files are reused
Web Performance

What Is Browser Caching and How to Set It Up

Browser caching lets visitors reuse files instead of re-downloading them. What it is, the HTTP headers that control it, cache-busting, and how to verify it.

25 May 20269 min read
How to secure cookies with HttpOnly, Secure and SameSite
Web Security

How to Secure Cookies with HttpOnly, Secure, and SameSite

How to harden cookies with the HttpOnly, Secure and SameSite attributes, plus Path, Domain and the prefixes — and how to inspect them in browser DevTools.

25 May 20269 min read
What two-factor authentication is and why to use it
Web Security

What Is Two-Factor Authentication (2FA) and Why Use It

A clear guide to two-factor authentication: the three factor types, methods ranked from SMS to passkeys, and why 2FA stops phishing and credential-stuffing.

25 May 20269 min read
What cross-site request forgery (CSRF) is and how to prevent it
Web Security

What Is Cross-Site Request Forgery (CSRF)?

CSRF tricks a logged-in user's browser into sending an unwanted request. Learn the concept and defences: anti-CSRF tokens, SameSite cookies and origin checks.

25 May 20269 min read
What a data breach is and how to respond to one
Web Security

What Is a Data Breach and How to Respond

A plain-English guide to data breaches: what counts as one, the common causes, a step-by-step incident-response plan, the GDPR 72-hour rule, and prevention.

25 May 20269 min read
What a web application firewall (WAF) is and how it filters traffic
Web Security

What Is a Web Application Firewall (WAF)?

A plain-English guide to web application firewalls: what a WAF filters, the deployment types, OWASP rule sets, false positives, and when a site needs one.

25 May 202610 min read
HTTP/1.1, HTTP/2 and HTTP/3 compared and why they matter for speed
Web Performance

What Are HTTP/2 and HTTP/3, and Why They Matter for Speed

HTTP/2 and HTTP/3 fix HTTP/1.1's bottlenecks. What each protocol changes, how multiplexing and QUIC speed loading, and how to check which your site uses.

25 May 202611 min read
Gzip and Brotli text compression for HTML, CSS and JavaScript
Web Performance

What Are Gzip and Brotli Compression (and How to Enable Them)?

Gzip and Brotli shrink HTML, CSS and JavaScript before they are sent. What each is, how Brotli compares to Gzip, how to verify it, and how to enable it.

25 May 202611 min read
Time to First Byte — the TTFB server response metric explained
Web Performance

What Is Time to First Byte (TTFB) and How to Improve It

Time to First Byte measures how long the browser waits for a server response. What TTFB is, what counts as good, its components, and how to improve it.

25 May 20269 min read
What clickjacking is and how to prevent it
Web Security

What Is Clickjacking and How to Prevent It

Clickjacking tricks users into clicking hidden controls via invisible frames. Learn how to check if your site is framable and the defences that stop it.

25 May 20269 min read
What HSTS is and how to enable it on your website
Web Security

What Is HSTS and How to Enable It

A practical guide to HTTP Strict Transport Security: how HSTS forces HTTPS, blocks SSL-stripping and downgrade attacks, its directives, and how to enable it.

25 May 20268 min read
Detecting whether an online store is built with the BigCommerce platform
Tech Stack Guides

How to Tell if a Website Is Built with BigCommerce

BigCommerce leaves clear fingerprints: cdn11.bigcommerce.com assets, /stencil/ theme paths and a window.BCData object. Here is how to detect it in under a minute.

25 May 20269 min read
How to protect your website from bots and scrapers
Web Security

How to Protect Your Website from Bots and Scrapers

Not all bots are bad. Tell good crawlers from abusive scrapers, spot the signals of bot traffic, and layer rate limiting, CAPTCHA, a WAF and bot management.

25 May 202610 min read
Lazy loading — deferring offscreen images and iframes until they are needed
Web Performance

What Is Lazy Loading and How to Use It

Lazy loading defers offscreen resources until needed. What it is, how to use native loading="lazy", when not to lazy-load, and avoiding any layout shift.

25 May 202610 min read
Detecting which A/B testing or experimentation tool a website uses
Tech Stack Guides

How to Tell if a Website Uses an A/B Testing Tool

Optimizely, VWO, AB Tasty and Convert leave fingerprints: anti-flicker snippets, _vwo cookies and window globals. Here is how to detect a site's test tool.

25 May 202610 min read
Detecting whether a website uses HubSpot CRM and marketing software
Tech Stack Guides

How to Tell if a Website Uses HubSpot

HubSpot leaves clear fingerprints: js.hs-scripts.com tracking code, hubspotutk and __hstc cookies, and hsforms embeds. Here is how to detect it quickly.

25 May 20269 min read
Detecting which web server software a website runs
Tech Stack Guides

How to Find Out What Server Software a Website Runs (Nginx, Apache, LiteSpeed)

The Server response header usually names the web server — nginx, Apache, LiteSpeed, IIS or Caddy. Here is how to read it, and why CDNs and proxies often hide it.

25 May 20269 min read
Detecting whether a website is built with the Astro framework
Tech Stack Guides

How to Tell if a Website Is Built with Astro

Astro leaves clear fingerprints: astro-island elements, an Astro generator meta tag and _astro/ asset paths. Here is how to detect it in under a minute.

25 May 20269 min read
Detecting whether a website is built with the Laravel PHP framework
Tech Stack Guides

How to Tell if a Website Is Built with Laravel

Laravel hides on the server, but it leaks tells: XSRF-TOKEN and laravel_session cookies, /storage/ paths and Blade markers. Here is how to spot each one.

25 May 202611 min read
The carbon cost of video and streaming on the web and how to reduce it
Sustainability

What Is the Carbon Cost of Video and Streaming?

Video is the heaviest thing most sites serve, and streaming dominates internet data. Here is what really drives its carbon cost and what site owners control.

25 May 20269 min read
Measuring a website's carbon emissions with free online tools
Sustainability

How to Measure Your Website's Carbon Emissions

You cannot reduce what you do not measure. Here are the free tools that estimate website carbon, what they base it on, and how to track emissions over time.

25 May 202610 min read