Changelog

Added a page on redundant entry, WCAG 2.2 Success Criterion 3.3.7 (Level A): information a user already entered earlier in the same process must be auto-populated or selectable, not typed again. It covers the essential, security, and expired exceptions and the carry-forward and autocomplete patterns that satisfy it.

Added a page on the Server-Timing header, which surfaces backend metrics — database time, cache hits, edge processing — in browser DevTools and to real-user monitoring via the PerformanceServerTiming API. The site now ships it as a worked example: every response carries an edge timing metric measured in the Cloudflare Pages middleware.

Added a page on the translate attribute, which marks content that automatic translation systems must leave alone — brand names, code, and identifiers. It complements the lang attribute: lang declares what language content is in, while translate="no" keeps Google Translate and the browser’s built-in translation from mangling terms that have no localised form.

New Accessibility topic on accessible authentication — WCAG 2.2 added success criteria 3.3.8 and 3.3.9, which forbid making people pass a cognitive function test (recalling a password, transcribing a code, solving a puzzle) to log in unless an accessible alternative exists. The page covers supporting password managers, allowing paste, autocomplete="one-time-code", and passkeys; status: recommended.

The MCP and tool discovery page now points to MDN’s 2026 MCP server as a real-world example of a reference site exposing its documentation and Baseline browser-compatibility data over the protocol — reinforcing that a structured, queryable corpus is the case where shipping an MCP server earns its keep.

New Security topic on the Reporting API — the Reporting-Endpoints response header that names collectors for the browser’s structured reports: CSP and COOP violations, permissions-policy breaches, deprecations, interventions, and crashes. It supersedes the legacy Report-To header and report-uri directive. The site now ships the header and a collector, closing a ship-it-before-you-spec-it gap; status: recommended.

New Security topic on cross-origin isolation — the Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy response headers that sever risky cross-window links (tabnabbing, XS-Leaks) and keep your resources out of an attacker’s process (Spectre). The site already ships COOP and CORP on every response, so this closes a ship-it-before-you-spec-it gap; status: recommended.

New Performance topic on Compression Dictionary Transport (RFC 9842) — reusing a previously served response, or a dedicated dictionary, as a Brotli/Zstandard dictionary so updated assets compress to a fraction of their size. Pure progressive enhancement over ordinary compression; status: optional.

Updated Structured data to reflect that Google retired the FAQ rich result in 2026. FAQPage is still valid schema.org vocabulary, but it no longer produces a search feature and no answer engine has confirmed it favours the markup over rendered HTML — so add it only for genuine, visible Q-and-A content, never for SERP or “GEO” gain.

New Performance topic on conditional requests — how ETag, Last-Modified and 304 Not Modified responses let browsers and agents revalidate cached responses cheaply instead of re-downloading unchanged bodies. Status: recommended.

A batch of new pages landed: Mobile-friendly form inputs, dynamic viewport units, graceful degradation when JavaScript fails, mixed content and upgrade-insecure-requests, server-side rendering, and /.well-known/webauthn for Related Origin Requests.

First public version: a platform-agnostic specification of what a good website does, spanning Foundations, SEO, Accessibility, Security, Well-Known URIs, Agent Readiness, Performance, Privacy, Resilience and Internationalisation. Every topic is tagged required, recommended, optional or avoid, and cited from primary sources. Available as HTML, Markdown, a checklist, llms.txt, RSS, and an MCP server.