Check a website. See what needs fixing.
Enter any public domain to see its current score, the factors behind it, and the issues to fix first.
Type a domain. We’ll show its current score and queue a fresh scan when needed.
Try stripe.com.
Enter any public domain to see its current score, the factors behind it, and the issues to fix first.
If you sell to the U.S. federal government — or you ARE the U.S. federal government — your site has to clear this bar.
Section 508 of the Rehabilitation Act, refreshed in 2018 to incorporate WCAG 2.0 Level AA by reference. Mandates accessibility for all federal agency websites and any vendor's electronic content procured by the federal government.
Federal RFPs require Section 508 conformance, often demonstrated via a VPAT (Voluntary Product Accessibility Template). No 508 conformance means you're disqualified before bid review.
Applies to federal agencies (.gov) and any vendor selling electronic content to the U.S. government.
The federal counterpart to AODA. If you're a federally regulated entity — banks, telecoms, airlines, broadcasters — you publish accessibility plans and progress reports, and your digital surfaces are in scope.
A 2019 federal act creating Accessibility Standards Canada and requiring federally regulated public and private entities to publish accessibility plans, feedback processes, and triennial progress reports. Standards are still being published; in the meantime WCAG AA is the operative web benchmark.
ACA isn't just a policy goal — entities that don't publish plans and reports face fines up to CAD $250,000. Web accessibility is one of the seven priority areas the Act explicitly enumerates.
Federally regulated entities in Canada — federal departments, banks, telecoms, broadcasters, interprovincial transport.
Courts treat consumer-facing U.S. websites as places of public accommodation. WCAG AA conformance is the de-facto safe-harbor — the DOJ has said so since 2022.
The Americans with Disabilities Act doesn't explicitly cite WCAG, but the DOJ's 2022 guidance and a decade of case law have settled on WCAG 2.0/2.1 AA as the operative benchmark for website accessibility.
Demand letters and lawsuits over inaccessible U.S. websites are a real, ongoing legal risk — settlements average $20K–$50K. An accessibility statement plus credible WCAG AA scan results substantially reduces exposure.
U.S. consumer-facing websites of businesses considered places of public accommodation.
Explicit allow/disallow rules for GPTBot, ClaudeBot, PerplexityBot, and friends. Default-deny means missing AI citations; default-allow means free training data.
User-agent–specific rules in robots.txt that grant or deny access to known AI crawler bots: OpenAI's GPTBot, Anthropic's ClaudeBot, Common Crawl's CCBot, Google's Google-Extended, and others.
An unaddressed robots.txt is ambiguous in 2026 — some bots default to allow, some don't. Be explicit, and decide whether you want to be in the AI corpus.
Every site that has an opinion about AI training and citation.
The IETF working group standardizing how sites express AI training / inference preferences. Likely to subsume ai.txt, llms.txt opt-out semantics, and the messy patchwork of robots.txt AI directives.
IETF AI Preferences (aipref) Working Group — chartered 2024, milestones target August 2026. Three deliverables: (1) a vocabulary for AI-related preferences (training, search, inference); (2) protocol bindings for attaching those preferences to content (HTTP headers, well-known URIs, in-body metadata); (3) a reconciliation method for conflicting signals. Chairs: Mark Nottingham + Suresh Krishnan.
The current opt-out landscape is a mess — robots.txt for crawlers, ai.txt for training, X-Robots-Tag, ad-hoc TDM Reservation Protocol, schema.org content-license — all incompatible. aipref is the credible path to one signal that AI labs, regulators, and CMS vendors all parse. Standards adoption is years out, but tracking the draft now lets you align ai.txt and robots.txt directives with the eventual format.
Anyone tracking AI policy or building tooling around training opt-outs.
`/.well-known/ai-plugin.json` — the original ChatGPT plugin manifest format. Largely superseded by GPTs / Custom Actions, but still referenced and parsed by some agents.
A JSON manifest at `/.well-known/ai-plugin.json` describing a site's API surface to LLM agents: name, description, auth model, OpenAPI spec URL, contact info. Introduced by OpenAI for ChatGPT plugins in March 2023; the plugins program was sunset April 2024 in favor of GPTs and Custom Actions, but the manifest format lives on as a generic well-known capability descriptor.
The plugin era is over, but the well-known path is still scanned by emerging agent frameworks (LangChain, LlamaIndex agents, some MCP bridges). It costs nothing to publish if you already have an OpenAPI spec, and signals `this site has a programmatic surface` to any agent that looks. Don't build a strategy around it; do ship one if you have an API.
Sites with public APIs that want to be agent-discoverable.
Site-level opt-out signal for AI training, distinct from llms.txt. Where llms.txt is a positive content map for AI consumption, ai.txt is `do not train on this`.
An emerging well-known file (`/ai.txt`) proposing per-asset opt-out rules for AI training datasets. Originally proposed by Spawning, now overlapping with the IETF AI Preferences working-group output. Often confused with llms.txt — the two are orthogonal: ai.txt restricts training-time use, llms.txt advertises content for inference-time consumption.
robots.txt + AI-bot user-agents covers crawler access but not downstream dataset use; once your content is in Common Crawl or LAION, blocking GPTBot doesn't claw it back. ai.txt (and the IETF AI Preferences successor) is the policy-layer signal that says `even if you ingested this, don't train on it`. Honored by Spawning's data-diligence pipeline and a growing list of ML training shops.
Publishers who care about how their content is used in AI training, not just whether it's crawled.
If you're a public-sector body or a private org with 50+ employees in Ontario, your website has to meet WCAG 2.0 AA — and you have to file a compliance report.
Ontario's 2005 act, operationalized through the Integrated Accessibility Standards Regulation (IASR, O. Reg. 191/11). The information-and-communications standard requires WCAG 2.0 Level AA conformance for new and significantly refreshed public websites and web content.
AODA is one of the few accessibility regimes with both proactive reporting *and* active enforcement — the Ministry has issued tens of thousands of director's orders and monetary penalties. Public-sector and large-private compliance is verified, not assumed.
Public-sector organizations of any size and private/nonprofit organizations with 50+ employees operating in Ontario.
Preserves DKIM/SPF authentication results when mail is forwarded through mailing lists or alias services. The fix for `forwarder breakage`.
Authenticated Received Chain — RFC 8617 (Experimental). An intermediary (mailing list, alias forwarder, security gateway) signs three header fields — ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal — capturing the auth state it observed. The next hop verifies the chain instead of re-running SPF/DKIM against a forwarder.
Forwarding rewrites headers and strips DKIM body alignment, so legitimate mail through alumni aliases, university lists, or corporate forwarding lands in spam under DMARC `p=reject`. ARC lets receivers trust the original verdict if a known intermediary sealed it.
Domains operating mailing lists, forwarders, or security gateways — and anyone whose users heavily forward mail.
Not a regulation — a pattern library. When you're building a custom widget (combobox, tree, dialog), this is the reference for getting the ARIA semantics and keyboard interactions right.
The W3C WAI-ARIA Authoring Practices Guide. Documents recommended ARIA roles, states, and keyboard patterns for ~30 common UI components — accordion, combobox, dialog, listbox, tree, tabs, etc. Examples include sample HTML and tested screen-reader behavior.
WCAG tells you *what* to achieve; APG tells you *how*. If you're shipping custom interactive components and you don't follow APG patterns, your ARIA is almost certainly wrong — and "wrong ARIA" is worse than no ARIA at all because it actively misleads assistive tech.
Reference standard for any team building custom interactive components or design-system primitives.
Your logo next to your email in inboxes that support it. Requires DMARC enforcement and (for Gmail/Apple Mail) a Verified Mark Certificate.
Brand Indicators for Message Identification. A DNS record pointing to an SVG-Tiny logo, optionally backed by a VMC (Verified Mark Certificate) issued by a trusted CA after trademark verification.
Visible-logo branding lifts open rates 10–20% and builds anti-phishing trust. Gmail and Apple Mail enforce VMC; Yahoo and Fastmail accept self-asserted records.
Optional but high-leverage for email-driven businesses.
Germany's federal accessibility regulation. Mandates WCAG 2.1 AA (via EN 301 549) for federal public-sector websites, intranets, and mobile apps.
Germany's Barrier-Free Information Technology Ordinance 2.0, transposing EU Directive 2016/2102 and the EAA into federal law. References EN 301 549 — which itself wraps WCAG 2.1 AA — as the technical conformance target.
BITV 2.0 is enforced by the Federal Anti-Discrimination Agency and the Bundesfachstelle für Barrierefreiheit. Public bodies that don't publish accessibility statements or remediate reported barriers face procedural sanctions and reputational risk.
German federal public-sector websites, mobile apps, intranets, and extranets.
Replaces the URL line in Google results with a clean breadcrumb path. Higher click-through, better mobile UX, and one of the few rich-result types Google still ships.
schema.org BreadcrumbList — a typed `ItemList` whose `itemListElement` is an ordered chain of `ListItem` entries (position, name, item URL). Embedded as JSON-LD; Google parses it to render the breadcrumb trail in SERP listings.
When Google shows breadcrumbs instead of the raw URL, mobile click-through measurably lifts. Breadcrumb schema is one of a shrinking set of rich-result types still supported (FAQ and HowTo lost theirs in 2023–24), so the surface area for visible structured-data wins is narrowing.
Any site with a content hierarchy more than two levels deep.
The de-facto standard for marketing mail since February 2024. SPF + DKIM + DMARC, RFC 8058 one-click unsubscribe, and a spam-complaint rate under 0.30%. Miss any of these and Gmail / Yahoo throttle or reject.
A coordinated set of inbox-provider requirements rolled out by Gmail and Yahoo in February 2024 (Apple and Microsoft followed in spirit). Three pillars: (1) full sender authentication — SPF + DKIM, with an aligned DMARC policy of at least `p=none`; (2) RFC 8058 List-Unsubscribe one-click headers on marketing mail; (3) a spam-complaint rate kept under 0.30%, ideally below 0.10%.
Gmail and Yahoo together gate the majority of consumer inboxes. Non-compliant bulk mail (>5K/day) gets quietly delivered to spam or rejected; the bar isn't optional. Most ESPs (Mailchimp, SendGrid, Klaviyo) handle the auth setup, but the complaint-rate ceiling is the senders responsibility.
Anyone sending more than 5,000 messages/day to Gmail or Yahoo addresses — most marketing senders.
Cryptographic provenance manifests embedded in image, video, and audio files — `who made this, with what tools, edited how`. Adobe, Microsoft, BBC, and the major camera makers ship it.
C2PA — Coalition for Content Provenance and Authenticity. Defines a binary manifest format embedded in media files containing signed assertions: capture device, edit history, AI involvement, publisher identity. Backed by Adobe, Microsoft, Intel, BBC, Sony, Nikon, Leica, and OpenAI; specification version 2.1 published September 2024.
Provenance is the new credibility signal in an AI-generated content world. Major newsrooms (BBC, NYT) and platforms (LinkedIn, TikTok via experiments) verify C2PA manifests; OpenAI signs DALL·E and Sora outputs. Sites publishing original photography or video gain a verifiable `not AI-generated` signal — and a defense against takedown disputes.
Publishers, photographers, video producers, and any site whose authenticity matters for trust or compliance.
Tells the world which certificate authorities are allowed to issue certificates for your domain. Stops rogue CA issuance dead.
Certification Authority Authorization — a DNS record that whitelists which CAs may issue certificates for the domain. Public CAs are required by the CA/Browser Forum to honour it.
Prevents a compromised or misconfigured CA from issuing a valid cert for your domain. One DNS record, large attack-surface reduction.
Every domain with HTTPS.
Tell search engines which URL is the `real` version when the same content lives at multiple paths. Without it, ranking signals split across duplicates and nothing ranks well.
URL canonicalization — RFC 6596 standardizes the `canonical` link relation, and Google's documentation defines the broader signal set (rel=canonical HTML element, HTTP `Link: rel="canonical"` header, sitemap entries, redirects, internal linking). Each is a hint Google reconciles into one canonical URL per cluster.
Without an explicit canonical, Google guesses — often wrong. Pagination, tracking parameters, mobile/desktop variants, and HTTPS-vs-HTTP all generate near-duplicates that dilute PageRank and confuse analytics. The fix is one tag per page; the upside is concentrated ranking signal.
Every public site — but especially e-commerce, paginated archives, and multi-region sites.
California's privacy law. The visible signal is the 'Do Not Sell or Share My Personal Information' link in your footer.
The California Consumer Privacy Act (2018), amended by the California Privacy Rights Act (effective 2023). Grants California residents rights over their personal data, including the right to know, delete, correct, and opt out of sale or sharing.
The CPPA actively investigates and fines non-compliant sites. The 'Do Not Sell or Share' link and a complete privacy policy are the cheapest insurance against an enforcement action.
California residents — but most sites with U.S. traffic encounter California users, so default to applying it.
Compress HTML, CSS, JS, and JSON over the wire. Brotli beats gzip; gzip beats nothing.
Content-encoding negotiation: server compresses text payloads, client decompresses. Brotli (RFC 7932) achieves 15–25% better ratios than gzip for HTML and CSS.
First-byte and full-page-load times depend heavily on payload size. Compression is one config flag away on every CDN and origin server.
Every HTTP response with text content.
If you set non-essential cookies before the user explicitly opts in, you're failing the standard most regulators now enforce.
The ePrivacy Directive (the 'cookie law') predates GDPR but still governs cookie behaviour in the EU. The combined GDPR+ePrivacy regime is what regulators actually enforce: prior consent, granular categories, easy refusal. The proposed ePrivacy Regulation that would have replaced it was withdrawn by the European Commission in 2025, so the 2002 Directive remains the operative law.
European DPAs have ramped up enforcement against dark-pattern banners and silent tracking. Even outside the EU, a clean consent layer is becoming the baseline trust expectation.
Any site with EU traffic, plus increasingly any site claiming to respect user privacy.
If your site is directed at U.S. children under 13 — or you knowingly collect from them — you need verifiable parental consent before any data collection. The 2025 amendments tightened this further around third-party advertising.
The Children's Online Privacy Protection Rule, enforced by the FTC since 2000 and substantially updated in early 2025. Requires operators of child-directed services (or those with actual knowledge of users under 13) to post a clear privacy policy, provide notice and obtain verifiable parental consent before collecting personal information, and now opt-in parental consent specifically for third-party advertising and data sharing.
FTC penalties are up to $51,744 per violation (per child) and the agency has shown it will pursue eight- and nine-figure settlements (TikTok, YouTube, Epic). The 2025 rule expands 'personal information' to cover biometric and government-issued identifiers.
U.S. sites directed at children under 13, and any general-audience site with actual knowledge it is collecting from children.
Colorado's CCPA-shaped privacy law, with a hard requirement to honour Universal Opt-Out Mechanisms like Global Privacy Control as of July 2024.
The Colorado Privacy Act, effective 1 July 2023. Grants Colorado residents access, deletion, correction, portability, and opt-out rights, plus opt-in consent for sensitive data. Crucially, Colorado was the first U.S. state to require recognition of Universal Opt-Out Mechanisms (UOOMs) — enforced as of 1 July 2024.
Civil penalties up to $20,000 per violation under the Colorado Consumer Protection Act. The UOOM requirement means a site must respect GPC and similar browser-level opt-out signals — not just a button in your footer.
Colorado residents — applies to controllers processing 100K+ Colorado consumers, or 25K+ where any revenue is derived from selling personal data.
Three response headers that together unlock SharedArrayBuffer and high-resolution timers — and incidentally close a class of cross-origin side-channel leaks.
Cross-Origin-Opener-Policy isolates your top-level browsing context from cross-origin windows. Cross-Origin-Embedder-Policy requires every subresource to opt in. Cross-Origin-Resource-Policy lets a resource declare who may embed it. Set together, the page enters a 'cross-origin isolated' state.
Required if you use SharedArrayBuffer, performance.measureUserAgentSpecificMemory, or any precise timer. Beyond capability unlock, the trio defends against Spectre-class side channels and tab-to-tab attacks.
Sites using cross-origin isolated APIs, or hardening top-level pages against cross-window attacks.
The deployable CSP today. script-src, object-src, and base-uri are the three controls that actually stop XSS — the rest is optional.
Content Security Policy Level 3 — a Working Draft from the W3C Web Application Security Working Group. Defines a header that lets a site declare which sources the browser may fetch or execute. Strict CSP (nonces or hashes plus 'strict-dynamic') is the modern XSS mitigation pattern.
A correctly-configured CSP turns most XSS findings from 'critical' into 'no impact'. Wrong CSP — wildcards, 'unsafe-inline', no script-src — provides false comfort with no actual protection.
Every site rendering HTML — defense-in-depth against script injection.
Every publicly-trusted certificate must appear in append-only public logs. Chrome, Safari, and Edge enforce it — non-CT certs throw a hard browser error.
RFC 6962 (experimental) and RFC 9162 (CT 2.0 standards-track). A system of cryptographically-verifiable, append-only logs of every issued certificate. Browsers require certificates to ship with Signed Certificate Timestamps from multiple logs.
CT is how you (or your domain monitoring tool) catch certificates issued for your domain that you didn't authorise. Combined with CAA records, it closes the 'rogue CA issuance' attack at both the issuance and detection layers.
Every publicly-trusted certificate — automatic via your CA, but worth monitoring.
Connecticut's CCPA-shaped privacy law. Like Colorado, recognises Global Privacy Control as a valid opt-out signal — and the AG has been actively issuing cure notices since 2023.
The Connecticut Data Privacy Act, effective 1 July 2023. Grants access, correction, deletion, portability, and opt-out rights, with opt-in consent for sensitive data and a UOOM recognition requirement (effective January 2025). Enforced by the Connecticut AG.
Civil penalties up to $5,000 per wilful violation under the Connecticut Unfair Trade Practices Act. The Connecticut AG has used its cure-notice power proactively against high-profile sites — privacy compliance posture is a near-term enforcement risk, not a theoretical one.
Connecticut residents — applies to controllers processing 100K+ Connecticut consumers, or 25K+ where 25%+ of revenue is from selling personal data.
If your site embeds video — especially anything previously broadcast on TV — closed captions are required. CVAA also covers advanced communications services (VoIP, video chat, messaging).
A 2010 U.S. law amending the Communications Act to extend disability-access requirements to internet-based communications and video. The FCC's implementing rules require closed captioning of internet-delivered video that previously aired on U.S. TV, and accessibility for advanced communications services (real-time text, VoIP, video conferencing).
Distinct from WCAG: CVAA targets media and communications specifically. Streaming services, video platforms, and any site embedding previously-broadcast clips face FCC enforcement — including fines up to $100K/day per violation.
U.S.-facing services that distribute video previously aired on TV, or that provide advanced communications services (VoIP, video calls, messaging).
Google's three-metric performance bar: LCP, INP, CLS. Affects rankings and is the closest thing to a universal performance standard.
Largest Contentful Paint (LCP, ≤2.5s), Interaction to Next Paint (INP, ≤200ms), Cumulative Layout Shift (CLS, ≤0.1). Measured in field data via the Chrome User Experience Report (CrUX).
Google uses CWV as a ranking signal. More importantly, sites that pass CWV have lower bounce and higher conversion — the metrics correlate with revenue, not just SEO.
Every public-facing site that wants Google traffic or conversions.
DNSSEC-anchored TLSA records that pin the certificate your mail server presents. The other (older, stricter) path to authenticated mail-in-transit alongside MTA-STS.
RFC 7672 + RFC 7671. DNS-Based Authentication of Named Entities for SMTP — DNSSEC-signed TLSA records that bind a hostname to a specific certificate or public key. A receiving MTA refuses to deliver if the pin doesn't match.
Closes the same downgrade gap as MTA-STS but with stronger guarantees — provided you have DNSSEC. Major European ISPs (Deutsche Telekom, Comcast inbound) and government MTAs require it; large mail providers (Google, Microsoft) treat it as a stronger signal than MTA-STS alone.
Domains with DNSSEC that send or receive mail with high-trust counterparties (gov, EU, finance).
Cryptographically signs outbound mail so receivers can verify the sender wasn't spoofed mid-flight. The other half of DMARC.
DomainKeys Identified Mail — RFC 6376. The sending server signs each message with a private key; the receiving server fetches the public key from DNS and verifies the signature.
DKIM survives forwarding (SPF doesn't), so it's the more reliable alignment path for DMARC. Most ESPs (Google Workspace, Microsoft 365, Mailchimp, SendGrid) handle the key management — site owners just have to publish the DNS record.
Every domain that sends email.
DKIM keys aren't fire-and-forget. Rotate at least annually, retire old selectors, and use 2048-bit RSA. The mechanics are spelled out in RFC 6376 §3.1.
Operational practice for DKIM keys — RFC 6376 §3.1 explicitly designs `selector` to enable seamless rotation: publish a new selector, switch signing to it, leave the old selector in DNS until in-flight mail clears, then remove. M3AAWG and major ESPs recommend rotation at least annually with a 2048-bit minimum key length.
Static keys accumulate exposure: if a single host is compromised the attacker can sign mail as your domain indefinitely. Gmail's bulk-sender requirements call for 1024-bit minimum; 2048-bit is the practical baseline in 2026. Rotation also forces verification that signing is actually working.
Every domain that signs outbound mail with DKIM.
Without DMARC enforcement, anyone can send mail that looks like it's from your domain. Apple, Google, Microsoft, and Yahoo now require it for bulk senders.
Domain-based Message Authentication, Reporting & Conformance — RFC 7489. Tells receiving mail servers how to handle mail that fails SPF or DKIM checks (none/quarantine/reject) and where to send aggregate reports.
As of February 2024, Gmail and Yahoo require DMARC for senders pushing 5K+ messages/day. A `p=none` policy is data-collection only — `quarantine` or `reject` is real enforcement.
Every domain that sends email — and every domain that doesn't (to prevent spoofing).
Per-message forensic reports for DMARC failures — distinct from the daily aggregate (rua=) feed. Useful for live debugging; rare in practice because of privacy concerns.
DMARC Failure (forensic) Reporting — RFC 7489 §7.3. The `ruf=` tag on a DMARC record requests redacted copies of individual messages that fail authentication, formatted per the Authentication Failure Reporting Format (AFRF, RFC 6591).
RUF gives per-message visibility — what header the spoofer used, what selector failed — that aggregate reports flatten away. Most major receivers (Gmail, Microsoft) have stopped sending RUF for privacy reasons, so coverage is thin; useful when investigating a specific incident, less so as ongoing telemetry.
Senders investigating active spoofing campaigns or running mature email-security operations.
Cryptographically signs your DNS records so resolvers can detect tampering. Underused — but increasingly expected for finance, gov, and email.
Domain Name System Security Extensions. A chain of cryptographic signatures from the root zone down to your domain that lets resolvers detect cache poisoning, MITM, and registrar-level hijacks.
DNSSEC + DANE is the only way to fully secure SMTP-in-transit without trusting the public CA system. .gov mandates it; major banks deploy it.
High-trust domains — gov, finance, healthcare, email at scale.
As of June 2025, e-commerce, banking, transport, and digital services in the EU must meet WCAG 2.1 AA — or pay fines that escalate per member state.
EU directive that took full effect on 28 June 2025. Requires accessibility for products and services placed on the EU market — websites, mobile apps, e-readers, banking, e-commerce, ATMs, ticketing. Effectively mandates WCAG 2.1 AA for digital surfaces.
Member states enforce individually with fines ranging from a few thousand euros to revenue-percentage penalties. Selling into the EU without EAA conformance is now a regulatory risk, not just a UX one.
Applies to e-commerce, banking, ICT, transport-ticketing, and digital services in the EU as of June 2025.
The proposed regulation that would have replaced the 2002 ePrivacy Directive. After eight years stuck in negotiation, the European Commission formally withdrew the proposal in 2025 — so the old Directive (and the cookie-consent baseline it underpins) remains the operative law.
Regulation on Privacy and Electronic Communications, COM(2017) 10 final. Proposed in January 2017 to modernise the 2002 ePrivacy Directive, harmonise cookie/consent rules, and extend the regime to over-the-top messaging and IoT communications. The European Commission's 2025 Work Programme announced its withdrawal on 11 February 2025; the Commission formally approved the withdrawal on 16 July 2025 and published it in the Official Journal on 6 October 2025.
Site owners spent eight years preparing for an ePrivacy Regulation that never arrived. The practical effect is no change: GDPR plus the existing 2002 ePrivacy Directive (as transposed by each member state) remain the binding framework for cookies, consent, and electronic communications. Any 'ePrivacy Regulation compliance' tooling sold between 2017 and 2025 is now obsolete.
Would have applied to providers of electronic communications services and websites with EU users — but the proposal was withdrawn before adoption.
The UK's ADA-equivalent. Service providers — including websites — must make "reasonable adjustments" for disabled users. WCAG AA is the de-facto evidence that you have.
The 2010 Act consolidates UK anti-discrimination law and imposes a duty on service providers to make "reasonable adjustments" to remove barriers for disabled people. The Act doesn't cite WCAG directly, but EHRC guidance and case law point to WCAG 2.1/2.2 AA as the operative web benchmark.
The Act applies to *any* organization providing services to the UK public, not just public sector. Disabled users can pursue claims in the County Court for breach of the duty; settlements and court orders for inaccessible commerce sites are increasingly common.
Any organization providing services to the UK public — including online services, e-commerce, and SaaS.
Schema is still valid; rich results aren't. Google removed HowTo rich results in late 2023 and restricted FAQ rich results to government / health sites in mid-2023. Mark up if it helps AI search; don't expect SERP enhancements.
schema.org `FAQPage` and `HowTo` types — JSON-LD structured data describing Q&A or step-by-step content. Both were Google rich-result types until 2023: HowTo rich results were fully removed in September 2023; FAQ rich results were restricted to `well-known, authoritative websites that are government-focused or health-focused`.
The schema is still parsed by ChatGPT, Perplexity, and Bing, and still helps with knowledge-graph signals — so adding it isn't wasted. But anyone running a 2022-era SEO checklist expecting FAQ stars in Google SERPs is shipping markup for a feature that no longer exists. Calibrate expectations.
Sites with substantial Q&A or instructional content — gov / health for FAQ rich results, others for general AI/structured-data signal.
Per-IP and per-domain complaint reports from major mailbox providers. The only direct signal that recipients are flagging your mail as spam — register or fly blind.
Industry-shared complaint reporting: Yahoo's Complaint Feedback Loop, Microsoft's SNDS + Junk Mail Reporting Program (JMRP), Google's Postmaster Tools, Comcast's FBL, etc. Each ships an ARF-formatted (RFC 5965) report when a recipient hits `Mark as Spam`, scoped to the IP or DKIM domain that signed up.
The bulk-sender requirements set a 0.30% complaint-rate ceiling but don't tell you when you cross it. FBLs and Postmaster Tools are the feedback channel — the difference between fixing a bad list segment in a day vs. a quarter of degraded deliverability.
Any sender pushing meaningful volume to Yahoo, Microsoft, or Google inboxes.
One CSS line — `font-display: swap` — eliminates the invisible-text flash while web fonts load. Free LCP win on every text-heavy page.
The `font-display` descriptor in `@font-face`, defined in CSS Fonts Module Level 4. Five values — `auto`, `block`, `swap`, `fallback`, `optional` — control how the browser handles the period between font request and font ready. `swap` shows fallback text immediately and replaces it once the web font loads.
Default browser behaviour blocks text rendering for up to 3 seconds while a web font downloads — that's a Flash of Invisible Text (FOIT) and it tanks LCP, especially on slow connections. `swap` flips the trade-off: text is visible from frame one. The fix is one line per @font-face rule.
Every site loading custom web fonts.
If a single EU resident can see your site, GDPR can apply. Cookie consent, a real privacy policy, and not silently tracking by default are the visible signs of compliance.
The General Data Protection Regulation, in force since May 2018. Governs how organisations process personal data of EU residents — lawful basis, consent, data subject rights, breach notification. Extraterritorial: EU residency of the data subject is what matters, not where the company is.
Maximum fines reach 4% of global annual revenue. Beyond fines, GDPR shapes user expectations everywhere — clear consent and a real privacy policy are now baseline trust signals globally.
Applies wherever EU residents' personal data is processed — effectively any site with EU traffic that uses analytics or tracking.
Exactly one H1 per page, descending hierarchy, no skipping levels. The cheapest SEO and accessibility check that exists.
HTML heading elements (h1–h6) used to convey document structure. The Living Standard expects a single h1 per page and a logical descending hierarchy.
Search engines weight h1 heavily for page topicality. Screen readers use the heading tree to navigate. Failing this is rarely a render bug — it's almost always a CMS misconfig.
Every public-facing HTML page.
If your site collects, displays, or transmits protected health information, HIPAA applies. A privacy policy plus an explicit Notice of Privacy Practices and a clear consent flow are the minimum visible signals.
The Health Insurance Portability and Accountability Act, with rules administered by HHS. The Privacy Rule (45 CFR Part 164 Subpart E) governs how covered entities and business associates may use and disclose protected health information (PHI); the Security Rule covers the technical safeguards for electronic PHI.
OCR penalties run from $100 to $50,000 per violation, capped at $2M+ per identical-violation type per year, and willful neglect can pile on criminal liability. Any patient portal, telehealth flow, intake form, or third-party tracking pixel that touches PHI is a HIPAA exposure.
U.S. healthcare providers, health plans, clearinghouses, and their business associates — anyone whose site touches protected health information.
Tell Google which language and region each version of your page targets. Mistakes here are the #1 reason multi-language sites underperform — wrong country, wrong content, wrong inventory.
`<link rel="alternate" hreflang="...">` (or HTTP header / sitemap equivalents) declaring localized variants. Each variant must list itself and every sibling — bidirectional, fully-qualified URLs, ISO 639-1 language + ISO 3166-1 region codes, plus an `x-default` for unmatched users.
Without hreflang, a US shopper might see the UK site (wrong currency, no inventory, unfamiliar spelling). Google then ranks the wrong locale in each market and conversion craters. There's no de-jure spec — Google's documentation is the de-facto standard, and the validators all check it.
Multi-language or multi-region sites — anyone serving distinct content per locale.
One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
Strict-Transport-Security — RFC 6797. A response header that pins the browser to HTTPS for max-age seconds, with optional includeSubDomains and preload tokens.
Without HSTS, a single MITM during a cleartext request is enough to strip TLS for a session. With HSTS, the browser refuses to downgrade. The base header is risk-free to deploy with a short max-age while you verify.
Every HTTPS site — the base header is safe, preload is the irreversible commitment.
Hardcodes 'always HTTPS' for your domain into every major browser. The strongest possible HSTS posture.
A list maintained by Chromium and adopted by Firefox, Safari, Edge, and Opera. Domains on it are always loaded over HTTPS — no first-visit downgrade window.
Eliminates the trust-on-first-use gap in vanilla HSTS. Required for finance, healthcare, and any site where a single MITM at first visit is unacceptable.
Sites that have committed to HTTPS-only forever (preload removal can take months).
Multiplexed connections, header compression, server push. Free performance upgrade on every major CDN.
Binary, multiplexed successor to HTTP/1.1. One TCP connection carries many parallel streams; headers are compressed via HPACK.
Cuts page load time noticeably on multi-asset pages. Every modern CDN (Cloudflare, Fastly, CloudFront, Akamai) supports it by default — there's no excuse for not having it.
Every public site.
QUIC-over-UDP transport. Faster handshakes and resilience to packet loss on flaky networks. Increasingly standard at the CDN layer.
HTTP semantics over QUIC, which is built on UDP rather than TCP. Eliminates head-of-line blocking, recovers faster from packet loss, and combines TLS handshake into transport setup.
Real-world wins on mobile, lossy networks, and high-latency users. Cloudflare, Fastly, and CloudFront support it with a single toggle.
Sites with mobile-heavy or international audiences.
Replaced FID as a Core Web Vital in March 2024. Measures responsiveness across the full page lifecycle — clicks, taps, key presses — not just the first interaction. ≤200ms is the bar.
Interaction to Next Paint — measures the time from a user input (click, tap, key press) to the next visual update, across every interaction on the page. Reported as the worst (or near-worst, after outlier filtering) interaction during the visit. Promoted from experimental to stable Core Web Vital on 12 March 2024, replacing First Input Delay.
FID only measured the first interaction's input delay; it under-counted laggy SPAs and over-credited static pages. INP catches the post-hydration jank, the third-party tag-fired-on-click stalls, and the long render tasks that make a site feel sluggish. The 200ms `good` threshold is achievable with disciplined JS — but bloated React apps without code-splitting routinely exceed 500ms.
Every interactive site — i.e. every site.
Israel's adoption of WCAG 2.0 AA, made binding for nearly every commercial website serving Israeli users by Equal Rights of Persons with Disabilities Regulations.
IS 5568 — Israeli Standard 5568, a near-direct translation of WCAG 2.0 AA. Made legally enforceable by the 2013 Equal Rights of Persons with Disabilities (Service Accessibility Adjustments) Regulations, which require conformance from any business with an online presence serving Israeli consumers.
Israel is one of the most aggressive enforcement environments globally. The Commission for Equal Rights of Persons with Disabilities issues compliance orders; private claimants can sue for statutory damages without proof of actual harm. Settlements regularly exceed ₪50,000.
All public agencies and any business serving Israeli consumers via a website.
International gold standard for an Information Security Management System. The 2022 revision restructures the Annex A controls to align with ISO 27002:2022.
ISO/IEC 27001:2022 — the international standard specifying requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Certification is by accredited third-party auditors.
European and APAC enterprise buyers often prefer ISO 27001 to SOC 2; many regulated industries (finance, healthcare) require it. Achieving it once and maintaining surveillance audits is cheaper than answering bespoke questionnaires forever.
Organizations selling to European or international enterprise buyers, or operating in regulated industries.
Japan's national web accessibility standard. Identical in substance to WCAG 2.0 — public-sector sites are expected to conform, private sector encouraged.
JIS X 8341-3:2016 is the Japanese Industrial Standard for web content accessibility, technically equivalent to ISO/IEC 40500:2012 (WCAG 2.0). The Web Accessibility Infrastructure Committee (WAIC) maintains the testing methodology and conformance reports.
The Ministry of Internal Affairs and Communications recommends that public-sector websites comply with JIS X 8341-3 at the AA level. While not strictly binding on the private sector, it's the de facto procurement and audit benchmark for any Japanese-facing digital service.
Japan — required for national and local government public-facing websites; recommended for the private sector.
South Korea's localization of WCAG. Public and private sites alike must conform under the Anti-Discrimination Against and Remedies for Persons with Disabilities Act.
KWCAG 2.2 — the Korean national web accessibility guideline maintained by the Telecommunications Technology Association (TTA). Closely aligned with WCAG 2.2 with Korea-specific success criteria (Korean text rendering, mobile UX). Enforced under the broader Disability Discrimination Act of 2008.
Unlike most regulators, Korea applies accessibility duties to *both* public and private organizations of any size. Non-compliance can trigger civil suits and Ministry-issued remediation orders — and Korean courts have ruled against major platforms over inaccessible web content.
All public and private organizations operating websites accessible from South Korea.
Quebec's modernised privacy law — stricter than PIPEDA and the rest of Canada. Mandatory privacy officer, granular consent, data portability, and a right to algorithmic transparency.
An Act to modernize legislative provisions as regards the protection of personal information (formerly Bill 64, now Law 25), enacted 2021 with rolling effective dates through September 2024. Substantially overhauls the Quebec private-sector privacy statute (Act respecting the protection of personal information in the private sector, P-39.1). Adds GDPR-style data subject rights, mandatory privacy officer, privacy impact assessments, and transparency obligations for automated decision-making.
Penalties reach the greater of C$25M or 4% of worldwide turnover — the highest penalty ceiling of any Canadian privacy law and on par with GDPR. Quebec is a substantially-similar jurisdiction that displaces PIPEDA locally; if you serve Quebec residents you can't piggyback on a federal privacy stack alone.
Quebec residents specifically — Law 25 displaces PIPEDA in Quebec for private-sector commercial activity.
Time until the largest above-fold element renders — usually the hero image or H1. ≤2.5s at the 75th percentile is the `good` threshold; >4s is poor.
Largest Contentful Paint — measures when the largest image, video poster, or block-level text element in the viewport finishes rendering. The reference Core Web Vital for perceived load speed. Field data preferred (CrUX); `lab` data via Lighthouse is a fallback that doesn't capture real-network variance.
LCP correlates with bounce rate more cleanly than any other metric. The usual culprits — unoptimized hero images, render-blocking CSS, late-injected fonts, slow TTFB — are all fixable, and almost every fix has a 1:1 conversion-rate impact on commerce sites.
Every public-facing site.
Brazil's GDPR analogue. If you serve Brazilian residents, treat it like GDPR-lite: lawful basis, consent for cookies, a real privacy policy, and ANPD-shaped data subject rights.
The Lei Geral de Proteção de Dados Pessoais, enacted 2018 and in force since 2020. Closely modelled on GDPR — same lawful-basis structure, similar data subject rights, analogous extraterritorial reach. Enforced by the Autoridade Nacional de Proteção de Dados (ANPD), which gained sanctioning power in 2023.
Maximum fine is 2% of Brazilian revenue (capped at R$50M per violation). ANPD enforcement has accelerated since 2023 and Brazil is one of the largest LATAM markets — a GDPR-shaped consent and privacy-policy stack covers most LGPD obligations for free.
Brazilian residents — applies extraterritorially to sites processing their personal data regardless of where the operator is located.
Companion to llms.txt with the actual content inlined — `everything an LLM needs to answer about this site, in one fetch`. Anthropic, Cursor, and a growing list of dev-tool docs ship it.
A community convention pairing with llms.txt: where `/llms.txt` is a markdown index of URLs, `/llms-full.txt` (and the related `llms-ctx-full.txt` from Answer.AI's `llms_txt2ctx` tool) embeds the full content of those URLs into a single markdown file. Sized for direct paste into an LLM context window.
AI assistants pulling docs in real time burn tokens on multi-page navigation. A single llms-full.txt fetch gives them complete context in one round-trip — measurably better citations and fewer hallucinations on technical docs. Anthropic's docs publish one (https://docs.anthropic.com/llms-full.txt); Cursor, Vercel, and many dev-tool sites have followed. Lower priority than llms.txt itself, but increasingly expected for technical content.
Documentation sites and any content-heavy site that wants AI assistants to cite it accurately.
A plain-text manifest at /llms.txt that tells AI agents what your site is and where the canonical content lives. Early but rapidly adopting.
A markdown file at the well-known path /llms.txt that describes the site for LLM consumers — purpose, key sections, links to LLM-optimized content. Proposed by Answer.AI in 2024.
ChatGPT, Claude, and Perplexity-class tools are starting to honour llms.txt as the AI-equivalent of robots.txt + sitemap. Sites that ship it get cleaner citations.
Every site that wants to be cited well by AI assistants.
Forces inbound mail to your domain over TLS so an attacker can't downgrade the connection mid-flight. Pair it with TLS-RPT to find out when someone tries.
Mail Transfer Agent Strict Transport Security — RFC 8461. A policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt plus a `_mta-sts` DNS TXT record telling sending MTAs that mail to this domain must arrive over a TLS connection with a valid certificate.
Without MTA-STS a STARTTLS handshake can be silently stripped by anyone on the wire and your inbound mail goes plaintext. The policy is a one-time setup; the reporting half (TLS-RPT) tells you when an attempt failed.
Domains receiving email at scale, especially those handling sensitive correspondence.
Voluntary, US-government-blessed taxonomy for cybersecurity programs. The 2.0 revision (Feb 2024) added a 'Govern' function alongside the original Identify / Protect / Detect / Respond / Recover.
NIST CSF 2.0 — a free, voluntary framework organising cybersecurity outcomes into six Functions, 22 Categories, and 100+ Subcategories. Designed to be sector-agnostic; widely used by US federal agencies and contractors.
Useful as a cross-walk: most other frameworks (ISO 27001, SOC 2, CIS Controls) map to CSF. If you need to answer 'what's our security posture?' in board-level terms, CSF gives you the vocabulary.
US-based organizations, federal contractors, or anyone needing a cross-walk between security frameworks.
Tells the browser to trust your declared Content-Type instead of guessing. Stops 'I uploaded a JPG that was actually JavaScript' attacks dead.
A response header with a single value, 'nosniff'. Disables the browser's MIME-sniffing fallback so it executes scripts and styles only when the Content-Type genuinely says so.
User-uploaded content (images, attachments) can be crafted to look like an HTML or JS file to a browser sniffing the bytes. nosniff closes that hole. Should be set on every response, period.
Every HTTP response.
Oregon's CCPA-shaped privacy law. Distinctive for explicitly covering nonprofits (after a one-year delay) and for a specific right to know which third parties received your data.
The Oregon Consumer Privacy Act, effective 1 July 2024 (1 July 2025 for nonprofits). Grants Oregon residents access, correction, deletion, portability, and opt-out rights. Distinctive for its 'right to know specific third parties' that have received the consumer's data and its broad coverage of nonprofit entities.
Civil penalties up to $7,500 per violation. The Oregon DOJ has set up a dedicated Privacy Unit to enforce the OCPA — coverage of nonprofits and the third-party-recipient transparency requirement together create a compliance bar a step beyond CCPA.
Oregon residents — applies to controllers processing 100K+ Oregon consumers, or 25K+ where 25%+ of revenue is from selling personal data; nonprofits are included as of 1 July 2025.
Server attaches a fresh signed revocation status during the TLS handshake — so clients don't have to call out to the CA. Faster handshakes, better privacy.
RFC 6066 status_request extension. The TLS server fetches an OCSP response from its CA periodically and 'staples' it to the handshake. Clients verify the response without making a separate OCSP call to the CA.
Without stapling, the browser leaks the visited hostname to the CA on every cold connection — and may soft-fail revocation if OCSP is slow. Stapling fixes both. Combined with Must-Staple (RFC 7633), it becomes hard-fail.
Every HTTPS endpoint — usually a one-flag origin or CDN setting.
Without Open Graph and Twitter Card meta tags, your links unfurl as a sad blue underline. With them, they unfurl as a card with image, title, and description.
Two overlapping meta-tag conventions for telling social platforms how to render link previews. Open Graph (Meta) is the lingua franca; Twitter Cards is X's variant; LinkedIn, Slack, Discord, iMessage, and most others read both.
Click-through on shared links roughly doubles when previews render properly. The cost is six meta tags.
Every site whose links get shared anywhere.
Industry consensus on the ten most critical web application security risks. The 2025 edition is current; 2021 is superseded but still widely referenced.
The OWASP Top 10 is a regularly-updated list of the most critical security risks to web applications, derived from a community survey plus large-scale data analysis of vulnerability prevalence. Used as the de facto bar in penetration testing scopes and SDLC requirements.
Your AppSec program should provably address every Top 10 risk — broken access control, cryptographic failures, injection, insecure design, misconfiguration, vulnerable components, auth failures, integrity failures, logging gaps, SSRF. Most security questionnaires reference it directly.
Every web application — the Top 10 is the baseline, not the ceiling.
If you store, process, or transmit card data — directly or through an iframe — PCI DSS applies. v4.0 is mandatory; v3.2.1 retired in March 2024.
Payment Card Industry Data Security Standard, version 4.0.1. A contractually-binding standard from the PCI SSC (Visa, Mastercard, Amex, Discover, JCB) covering 12 requirement domains — network security, encryption, access control, monitoring, vendor management, and policy.
Failure to comply isn't a 'finding' — it's grounds for the card networks to fine your acquirer, who passes the cost (and a multiple) to you. Even pure-iframe checkouts (Stripe Elements, Braintree hosted fields) need SAQ A compliance.
Every site touching payment card data — including iframes and redirects to payment processors.
Locks down browser features — camera, mic, geolocation, payment, FLoC — so a compromised script can't quietly turn them on. Replaces the older Feature-Policy header.
Permissions-Policy is a response header (replacing Feature-Policy) that allow-lists which origins may use which browser features. Default is 'same-origin only' for most features, but tightening to () (none) is the safe deploy.
If you don't use the camera, you should not be granting third-party iframes or compromised scripts the right to ask for it. Costs nothing; closes a class of consent-bypass attacks.
Every site — the default-deny posture is one line of config.
Even if your server's private key leaks tomorrow, past traffic stays unreadable. Mandatory in TLS 1.3 — make sure your stack negotiates it.
Cipher suites using ephemeral Diffie-Hellman key exchange (ECDHE/DHE). Each session gets a unique key that's discarded after use, so a future key compromise can't decrypt captured past traffic.
Standard practice for any threat model that includes nation-state adversaries or long-lived data archives. TLS 1.3 enforces it; TLS 1.2 supports it but allows non-PFS suites unless explicitly configured.
Every HTTPS endpoint.
Canada's federal privacy law for commercial activity. Built around 10 fair information principles — meaningful consent, accountability, and the right to access your data.
The Personal Information Protection and Electronic Documents Act, in force since 2001. Governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Three provinces (BC, Alberta, Quebec) have substantially-similar laws that displace PIPEDA locally; PIPEDA still covers federal works, undertakings, and inter-provincial flows.
OPC has audit and investigation power and publishes findings. Reform proposals (CPPA / Bill C-27) have been introduced repeatedly — the modern bar is meaningful consent, breach reporting under PIPEDA's 2018 amendments, and a publicly-available privacy policy.
Commercial activity in Canada — federally regulated everywhere; private-sector everywhere except where a substantially-similar provincial law applies.
South Africa's GDPR analogue. Eight conditions for lawful processing, a real privacy notice, and an Information Officer registered with the Regulator.
The Protection of Personal Information Act, fully in force since 1 July 2021. Sets eight conditions for lawful processing of personal information, requires every responsible party to designate an Information Officer, and gives data subjects rights to access, correct, and delete their data. Enforced by the Information Regulator, which has been issuing enforcement notices since 2022.
Penalties run up to R10M and 10 years' imprisonment; administrative fines up to R10M per offence. South Africa is the largest African digital market and the Regulator has shown willingness to fine. A GDPR-shaped privacy stack mostly covers POPIA, plus the South-Africa-specific Information Officer registration.
South African residents — applies to any responsible party that is domiciled in South Africa or that processes personal information using means located there.
Australia's federal privacy law, anchored on the 13 Australian Privacy Principles. The 2024 reforms added a statutory tort for serious privacy invasions and direct OAIC penalty powers.
The Privacy Act 1988 (Cth) and its 13 Australian Privacy Principles (APPs), administered by the OAIC. Applies to most Australian government agencies and to private-sector organisations with annual turnover above A$3M (plus all health-service providers regardless of size). The Privacy and Other Legislation Amendment Act 2024 (effective June 2025) added a statutory tort, infringement notices, and stronger transparency duties.
Maximum civil penalty is now A$50M, three times the benefit, or 30% of adjusted turnover — whichever is greatest. OAIC has been more active post-Optus and Medibank breaches. A clear privacy policy that addresses each APP is the baseline visible signal.
Australian residents — applies to APP entities (most organisations with >A$3M turnover) and to overseas businesses with an Australian link.
Controls what URL data leaks to other sites in the Referer header. Modern browsers default to strict-origin-when-cross-origin — match that as a baseline.
A response header (or per-element attribute) that controls how much of the source URL the browser sends in the Referer header on outbound navigations and subresource loads.
Default behaviour leaks full URLs — including query params and tokens — to every third-party request. Tightening this is one line of config and closes a real privacy gap.
Every site that ever sends an outbound request.
Tell the browser which connections, fonts, scripts, and next-pages it should warm up before they're strictly needed. Single-digit-percent LCP improvements per hint, multiplied across a page.
Four `<link rel=...>` types defined in the WHATWG HTML Living Standard (originally W3C Resource Hints, since folded in): `dns-prefetch` (resolve DNS), `preconnect` (DNS + TCP + TLS), `preload` (fetch a resource for the current navigation), `prefetch` (fetch a resource for the next navigation). Each is a different point on the eager-vs-speculative spectrum.
On a typical commerce page the critical-render path waits for hosts you know in advance — your CDN, Stripe, a font CDN, an analytics endpoint. A handful of `preconnect` hints saves ~100–500ms each because TLS handshakes happen in parallel rather than after HTML parse. `preload` for the LCP image is one of the highest-leverage CWV wins available.
Every site with third-party origins or a known above-fold critical asset.
France's official WCAG 2.1 AA conformance methodology. Required for public sector, and the legal compliance benchmark referenced by every French accessibility statement.
RGAA 4.1.2 — France's general accessibility improvement framework. Operationalizes WCAG 2.1 AA through 106 testable success criteria and a defined audit methodology. Required by Decree no. 2019-768 for public-sector websites, mobile apps, and intranets, and large private firms doing business in France.
France has actively fined non-compliant orgs — penalties of up to €25,000 per non-compliant service, renewable annually. Every public-facing French website is required to publish an accessibility statement citing its RGAA conformance level.
French public sector and large private organizations (>€250M revenue or operating digital services to the public in France).
Page-level indexing controls — `noindex`, `nofollow`, `nosnippet`, `max-image-preview`. Distinct from robots.txt, which only blocks crawling.
`<meta name="robots">` directives in the HTML head, plus the `X-Robots-Tag` HTTP response header (used for non-HTML files like PDFs or image responses). Both share the same vocabulary — `noindex`, `nofollow`, `noarchive`, `nosnippet`, `max-snippet`, `max-image-preview`, `max-video-preview`, `noimageindex`, etc.
Crawl-blocked URLs (robots.txt) can still appear in search results without snippets. Only `noindex` actually keeps a page out of the index — and many sites get this backwards, blocking crawl on URLs they want fully removed. X-Robots-Tag is the only way to deindex a PDF or image without removing the file.
Every site with internal pages, staging environments, or non-HTML assets that shouldn't be in search.
Tell crawlers what to index and what to skip. The most basic site-discoverability hygiene.
robots.txt (RFC 9309) controls crawler access at the host level; sitemap.xml (sitemaps.org) lists indexable URLs with metadata. Both live at well-known paths.
Without a sitemap, search engines have to discover every URL through links — slow and incomplete on large sites. Without robots.txt, you can't direct AI crawlers or block low-value paths.
Every public-facing site.
JSON-LD structured data tells search engines and AI assistants what your page is about. Without it, you're invisible to rich results, knowledge panels, and most AI citations.
A vocabulary of types (Organization, Article, Product, LocalBusiness, FAQPage, …) embedded as JSON-LD in the page head. Maintained by Schema.org under W3C governance.
Schema is the single highest-leverage SEO change for AI search era. ChatGPT, Perplexity, Gemini, and Google Knowledge Graph all parse it. No schema = no rich snippets and weak AI citation.
Every public-facing site that wants discoverability.
Google's umbrella ranking-and-eligibility guide — replaced the old `Webmaster Guidelines` in 2022. Three pillars: technical requirements, spam policies, and the helpful-content / E-E-A-T quality bar.
Google Search Essentials — Google's foundational guide for being eligible to appear in Search. Three sections: technical requirements (crawlable, indexable, Search-eligible URLs), spam policies (cloaking, doorway pages, link schemes, scaled content abuse), and key best practices including E-E-A-T (Experience, Expertise, Authoritativeness, Trust) and the helpful-content guidance.
This is the rule book. Violating spam policies is the fastest way to lose all organic traffic; failing technical requirements means you never had any. The E-E-A-T language is the closest Google publishes to actual ranking criteria for content quality — used heavily in YMYL (Your Money or Your Life) verticals like health, finance, and legal.
Every site that wants Google traffic.
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. The six headers every modern site should ship.
A baseline set of HTTP response headers that defend against common web attacks: protocol downgrade, clickjacking, MIME-sniffing, cross-site script injection, leaky referrers, and unwanted browser feature access.
Most of these headers are one-line config in your CDN or origin server. Missing them is the single biggest 'low-hanging fruit' finding in any security review.
Every site over HTTPS — which by 2026 is every site.
A plain-text file at /.well-known/security.txt that tells researchers where to send vulnerability reports. Costs nothing; saves an inbound bug from getting routed to /dev/null.
RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure. A signed text file at /.well-known/security.txt declaring contact addresses, encryption keys, scope, and disclosure policy for security researchers.
Without a security.txt, a researcher who finds a bug has to guess at info@ or hello@ — and most reports never reach the right team. Five minutes of work captures inbound disclosures that would otherwise become public.
Every site — research disclosures arrive whether you invited them or not.
An auditor's report — not a checklist — covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type II is the one enterprise buyers actually care about.
SOC 2 — Service Organization Control 2. An attestation report from a CPA firm assessing a service organization's controls against the AICPA Trust Services Criteria. Type I is point-in-time; Type II covers a 6–12 month observation window.
B2B SaaS deals above ~$50K ARR routinely require a current SOC 2 Type II in the security questionnaire. Without one, sales cycles stall and procurement piles on bespoke security reviews instead.
B2B SaaS, hosting, and any service organization holding customer data on behalf of enterprises.
Average time at which visible parts of the page are displayed, computed from a frame-by-frame video of the load. Captures `feels fast` better than any single milestone metric.
Speed Index — originally from WebPageTest, now also computed by Lighthouse. The tool records a video of the page load, computes per-frame visual completeness, and integrates over time. Lower is better; thresholds are mobile ≤3.4s green, desktop ≤1.3s green.
LCP captures one element; Speed Index captures the entire above-fold paint experience. Two pages with the same LCP can have very different Speed Index — the one that renders progressively (text first, image after) feels faster than the one that holds back. Useful as a tiebreaker when LCP is acceptable but `feel` isn't.
Sites optimizing perceived performance, not just numerical milestones.
Lists which servers are allowed to send mail as your domain. Half of DMARC; you need it.
Sender Policy Framework — RFC 7208. A DNS TXT record enumerating the IPs and hostnames authorized to send mail on behalf of the domain. Receiving servers check it against the connecting server's IP.
SPF is the cheapest, oldest piece of email auth. No SPF, no DMARC pass via SPF — meaning more legitimate mail lands in spam.
Every domain that sends email.
An SPF record that triggers more than 10 DNS lookups during evaluation returns `permerror` — meaning every receiver treats it as if you had no SPF at all. The fastest path to silently broken DMARC.
RFC 7208 §4.6.4 caps the count of `include`, `a`, `mx`, `ptr`, `exists`, and `redirect` terms that drive DNS queries at 10 per evaluation. Each `include:` to a third-party ESP can chain into many sub-lookups, and the budget is easy to blow past once a domain uses three or four senders.
Once over the limit, SPF returns `permerror` and DMARC alignment via SPF fails for every message — DKIM has to carry the entire DMARC pass alone. Most senders never notice until a Gmail postmaster report shows DMARC pass-rate collapsing.
Any domain whose SPF record uses three or more `include:` terms.
Cryptographic hash on every CDN-loaded <script> and <link>. If the file changes, the browser refuses to load it. Cheap defence against supply-chain compromise.
Subresource Integrity. The integrity= attribute on <script> and <link> elements lets you pin a specific SHA-256/384/512 hash. The browser computes the hash of the fetched bytes and refuses to execute on mismatch.
When a CDN, npm package, or analytics vendor gets compromised, SRI is the difference between 'no impact' and 'every visitor ran attacker code'. Magecart-style supply-chain attacks are why this exists.
Any site loading scripts or stylesheets from a third-party CDN.
Certificate is current, not expiring soon, and chains to a trusted root. Failing this is a hard browser block.
The certificate served by the origin must be valid (not expired, not yet valid, properly chained, matching hostname) per the CA/Browser Forum Baseline Requirements.
Expired or invalid certs are a full outage in modern browsers. There's no grace period and no soft warning.
Every HTTPS endpoint.
Texas's CCPA-shaped privacy law. Notable for ditching the consumer-count threshold — almost any business doing business in Texas is in scope, except small businesses as defined by the SBA.
The Texas Data Privacy and Security Act, effective 1 July 2024. Grants Texas residents access, correction, deletion, portability, and opt-out rights, plus opt-in for sensitive data and recognition of Universal Opt-Out Mechanisms (effective 1 January 2025). Notable for replacing the consumer-count threshold with an SBA-small-business carve-out, making the scope significantly broader than Virginia's or Colorado's.
Civil penalties up to $7,500 per violation, with a 30-day cure period. The Texas AG has been one of the more visibly active state AGs on privacy, with public investigations of car-data collection and AdTech. Broader applicability than the other state laws — most commercial sites with U.S. traffic are in scope.
Texas residents — applies to anyone conducting business in Texas or producing products/services consumed by Texas residents that processes personal data and is not an SBA-defined small business.
Disable TLS 1.0 and 1.1. They've been deprecated since 2020. PCI-DSS requires it; everyone else should too.
TLS 1.2 (RFC 5246) and TLS 1.3 (RFC 8446) are the supported transport-security versions. Older TLS 1.0/1.1 have known weaknesses and are formally deprecated.
Browsers throw warnings on TLS <1.2; some clients refuse outright. PCI-DSS 3.2 and major frameworks already mandate 1.2 minimum.
Every HTTPS endpoint.
The modern target, not the minimum. One round-trip handshake, mandatory forward secrecy, every weak cipher removed. If your stack supports it, prefer it.
RFC 8446 — Transport Layer Security 1.3. A ground-up redesign of the TLS handshake that removes static RSA key exchange, all non-AEAD ciphers, compression, and renegotiation. 1-RTT by default; 0-RTT for resumption.
Faster (one fewer round trip on first connection), safer (no insecure-by-default options to accidentally configure), and required for some compliance regimes (FedRAMP High, some PCI scopes). 1.2 stays as a fallback, but 1.3 should be negotiated whenever possible.
Every HTTPS endpoint — modern stacks support it; legacy stacks should be on the migration list.
The reporting half of MTA-STS / DANE. A daily JSON digest of every TLS handshake failure to your domain — the only way to know your inbound mail is being downgraded.
SMTP TLS Reporting — RFC 8460. A `_smtp._tls` DNS TXT record advertising a `mailto:` or `https:` endpoint that receives aggregate JSON reports of TLS negotiation failures and policy validation failures from sending MTAs.
Setting MTA-STS without TLS-RPT is flying blind. Reports surface expired certs, broken cipher suites, and MITM downgrade attempts before users complain. Trivial to enable; pays for itself the first time you catch a misconfig.
Every domain that publishes an MTA-STS or DANE policy.
Utah's CCPA-shaped privacy law, the most business-friendly of the bunch. Higher revenue threshold, no UOOM requirement (yet), and a permanent 30-day cure period.
The Utah Consumer Privacy Act, effective 31 December 2023. Grants Utah residents the right to access, delete, port, and opt out of sale and targeted advertising — a 2026 amendment (effective 1 July 2026) added a right to correct. Enforced by the Utah Division of Consumer Protection with the Utah AG litigating.
Civil penalties up to $7,500 per violation, but Utah's higher applicability threshold ($25M revenue plus volume tests) and permanent cure period make it the most forgiving of the state laws. Coverage tends to come for free if you're already CCPA-compliant.
Utah residents — applies to controllers with $25M+ annual revenue that process 100K+ Utah consumers (or 25K+ if 50%+ of revenue is from selling personal data).
UK public-sector websites and mobile apps must meet WCAG 2.1 AA and publish an accessibility statement. GDS audits a sample every year.
The Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 — UK's transposition of EU Directive 2016/2102. Mandates WCAG 2.1 AA conformance and a published accessibility statement for every public-sector website, intranet, and mobile app.
GDS's Cabinet Office monitoring team audits a sample of public-sector sites yearly and publishes findings. Non-compliant bodies receive enforcement letters from the Equality and Human Rights Commission; persistent failures can trigger judicial review proceedings.
UK public-sector bodies — government departments, local councils, NHS trusts, universities, and most public-funded organizations.
Virginia's CCPA-shaped privacy law. Applies if you process the data of 100K+ Virginia residents (or 25K+ if you derive 50%+ revenue from selling data). No private right of action — Virginia AG enforces.
The Virginia Consumer Data Protection Act, effective 1 January 2023. Grants Virginia residents rights to access, delete, correct, port, and opt out of sale and targeted advertising. Closely tracks CCPA/CPRA but uses the GDPR-style controller/processor vocabulary. Enforced exclusively by the Virginia AG with a 30-day cure period.
Civil penalties up to $7,500 per violation. Most multi-state SaaS and e-commerce sites already in CCPA scope will hit Virginia thresholds — a unified opt-out and privacy policy generally covers both.
Virginia residents — applies to controllers processing 100K+ Virginia consumers, or 25K+ where 50%+ of revenue comes from selling personal data.
`<meta name="viewport" content="width=device-width, initial-scale=1">` — one line that decides whether your site is usable on a phone. Mobile-first indexing means without it you don't rank.
The viewport meta tag, defined in the WHATWG HTML spec and operationalized in Google's mobile-friendly criteria. Tells the browser to size the layout viewport to the device width rather than zoom out to a default 980px desktop canvas.
Google indexes the mobile version of every site by default (mobile-first indexing). A page that renders zoomed-out, with 4pt text and tap targets the size of a sesame seed, fails the mobile-friendly check and gets demoted. The fix is one meta tag.
Every public site that wants Google traffic — which is to say, every public site.
The minimum-viable baseline of the regulation-cited WCAG version. Same warning as Level A in 2.2 — failing it means basic usability is broken.
The lowest of three conformance levels in WCAG 2.1. Captures the most fundamental requirements that, if missed, leave assistive-tech users locked out entirely.
Nobody targets Level A as a goal — but a few EU procurement docs reference it for narrow product categories. Mostly relevant as an early-warning signal on the path to AA.
Applies wherever a regulation explicitly cites WCAG 2.1 Level A.
The version of WCAG most regulators actually wrote into law. EAA, UK PSBAR, and France's RGAA all cite 2.1 AA — even after 2.2 shipped.
Web Content Accessibility Guidelines 2.1 at conformance Level AA. Published in 2018; added 17 success criteria over 2.0 covering mobile, low vision, and cognitive accessibility. Now superseded editorially by 2.2 (2023), but still the version cited by name in active EU and UK regulations.
If your obligation flows from EAA, UK PSBAR, RGAA, or BITV 2.0, the legal text says "2.1 AA" — meeting 2.2 AA satisfies it (2.2 is a strict superset), but you can't claim conformance to a regulation by citing a different version. Keep this on your radar until the regulators catch up.
Operative wherever a regulation cites WCAG 2.1 by name — currently the EU (EAA, EN 301 549), UK (PSBAR), France (RGAA), Germany (BITV 2.0), and others.
The minimum-viable accessibility baseline. If you fail Level A, sighted-mouse users are probably also having a bad time.
The lowest of three WCAG conformance levels. Captures the most fundamental accessibility requirements — anything that would make the site outright unusable for assistive-tech users.
Level A is table-stakes; nobody designs *to* Level A as a goal, but failing it is a sign of deeper problems. Use it as an early-warning signal on the way to AA.
Applies to every public-facing website.
The web's de-facto baseline for accessibility. If a courtroom or compliance auditor asks whether your site is accessible, this is what they'll measure against.
Web Content Accessibility Guidelines 2.2 at conformance Level AA, published by the W3C in October 2023. Covers perceivability, operability, understandability, and robustness across 50+ success criteria — keyboard navigation, color contrast, alt text, focus indicators, captions, and predictable interaction.
WCAG AA is the conformance target referenced by the ADA, EAA, Section 508, and most procurement contracts. Falling short isn't just a UX problem — it's the standard plaintiffs' lawyers cite in accessibility lawsuits, which run six figures.
Applies to every public-facing website. Personal one-pagers excepted only when no commercial activity occurs.
WebP saves ~25–35% vs JPEG; AVIF saves ~50%. Either is supported by every browser that matters in 2026. Serving JPEG/PNG by default in 2026 is a self-inflicted byte tax.
WebP (Google, lossy + lossless, 2010) and AVIF (AV1-based, lossy + lossless, 2019) are next-generation raster image formats. Distinct from HTTP-level compression — these compress the image data itself. Both have universal browser support; AVIF has better ratios but encoder cost; WebP is the safe default. JPEG XL exists, has notably better quality, but Chrome dropped it and Safari shipped it — cross-browser support remains spotty.
Images are typically 50–70% of homepage weight. Cutting that in half with format conversion alone moves LCP, mobile data costs, and bounce rate measurably. Most CDNs (Cloudflare Polish, Fastly Image Optimizer, Cloudinary, imgix) do the conversion automatically — if yours doesn't, that's the signal to switch.
Every site serving images — which is most.
Stops other sites from embedding yours in an iframe — the prerequisite for clickjacking. CSP frame-ancestors is the modern equivalent; ship both for safety.
X-Frame-Options is the legacy header (DENY / SAMEORIGIN) preventing the page from being framed cross-origin. CSP's frame-ancestors directive supersedes it with finer-grained control. ALLOW-FROM is obsolete; use frame-ancestors for allow-listing.
Clickjacking attacks overlay your authenticated UI inside an attacker iframe. Without one of these headers, any site can embed yours and trick a logged-in visitor into clicking through invisible widgets.
Any site with login, payment, or sensitive forms — but cheap enough to deploy everywhere.
Without this, anyone can send phishing email pretending to be from your business — and your customers may receive it as if it really came from you. The fix is a few DNS records your email provider can usually add in under an hour.
When your email arrives, this is the invisible signature that tells Gmail and Outlook it really came from your business and wasn't tampered with along the way. Without it, your messages are more likely to land in spam or get blocked.
This tells the rest of the internet which mail services — your provider, your booking system, your CRM — are actually permitted to send email from your domain. Without it, your real messages look as suspicious as a stranger's, and your invoices and confirmations start hitting spam.
Hidden settings your site sends to a visitor's browser to block common attacks like fake login overlays, hijacked sessions, and content sniffing. Modern hosting platforms set them by default; older custom-built sites often don't.
The little padlock next to your address bar comes from a certificate that has to be renewed on a schedule. If it lapses, every browser slams a full-screen red warning in front of your customers and they bounce.
A default WordPress setting publishes a list of every login name on your site, which attackers feed straight into password-guessing tools. Turning it off takes one plugin or one line of config.
Things like login pages, admin panels, and developer files should never be reachable by a stranger typing a guess into their browser. When they are, they become the front door for an attack.
Google's mobile-first index means slow sites rank lower in search and lose visitors before the page paints. Most fixes are configuration changes, not rebuilds.
An older connection style makes every image, font, and script load one after another instead of together — so your phone visitors wait longer than they should. Flipping this on is usually a single setting at your host.
Without compression, your visitors download files that are roughly four times bigger than they need to be — burning their data plan and your search ranking. Every modern host supports this; it's almost always just a checkbox.
The headline, blurb, and image that show up when someone posts your site on Facebook, sends it in iMessage, or sees it in Google. If they're missing or wrong, you look unfinished or attract the wrong clicks.
Behind the scenes, your pages can carry small tags that tell Google whether you're a restaurant, a dentist, or a law firm — and your hours, prices, and reviews. Without them, Google has to guess, and the rich result with stars and photos goes to a competitor instead.
Every page should announce, in one obvious sentence, what it's about. When that's missing, Google and skim-reading visitors both lose the thread of what you do.
Google needs a list of every page you want it to find, plus a note about which ones to skip. Without it, parts of your site quietly go missing from search results.
ChatGPT, Claude, and Perplexity look for a small text file at /llms.txt to understand what your business is and what to say about it. Without it, they guess, and the guess is often wrong.
Your site can quietly tell ChatGPT, Claude, and Google's AI to stay out — or to come in. If you're blocking them by accident, you're invisible when customers ask AI for a recommendation in your category.
First-time visitors and fraud-detection systems both treat brand-new domains as suspicious by default. A domain registered yesterday tells the same story to humans and to spam filters.
Public web archives quietly record when your site first appeared and how often it's updated. A site with years of history reads as established; a site that just popped up reads as a pop-up.
When someone Googles your business name, this is the panel that shows your address, hours, photos, phone, and reviews. Without one, a customer ready to walk in the door may end up at a competitor.
Recent news mentions — local paper, industry blog, podcast — tell both customers and Google that your business is active and relevant. A long silence reads as a business that's gone quiet.
A Wikipedia page is one of the strongest signals to Google and AI assistants that you're a real, notable business. Most small businesses don't have one — but if you're big enough, missing it is a wasted credibility win.
An extra signature on your domain settings that stops attackers on shared WiFi or shady networks from rerouting your customers to a fake version of your site. Most domain registrars offer it as a one-click toggle.
A short list at your domain registrar that names which companies are allowed to issue security certificates for your site. Without it, a sloppy or compromised certificate vendor anywhere in the world could mint a fake one for your domain.
These settings tell other mail servers they must use encryption when delivering email to you, so an attacker on the network can't read or quietly redirect it. Most small businesses don't have this turned on yet, and the bigger your domain gets, the more it matters.
When this is set up, Gmail and Apple Mail can display your verified logo in the inbox next to messages from your business — which both looks more professional and helps customers spot real email from you versus impersonators.
An opt-in list shipped inside Chrome, Safari, and Firefox themselves. Once your domain is on it, browsers will never let a visitor fall back to an unencrypted connection — even before they've ever visited you.
TLS 1.0 and 1.1 have known holes and were retired by every major browser years ago. Even if modern visitors never negotiate down to them, leaving them switched on at your server gives scrapers, payment processors, and security scanners a real reason to flag you.
If you ever spun up something like blog.yoursite.com or shop.yoursite.com and later abandoned it without cleaning up the DNS, a stranger can sometimes claim that address and put their own content under your name.
Anti-virus tools, email filters, and corporate firewalls share lists of domains tied to malware or scams. If yours lands on one — even by mistake — your emails go to spam and your site gets blocked at offices and schools.
The latest version of the web's delivery protocol shaves real time off how fast your site feels, especially on spotty mobile networks. It's a free upgrade that better hosts and CDNs already include.
A growing share of phone and home networks now use the newer addressing system. Sites stuck on the old one get a small but real ranking nudge against them and load slower for those visitors.
Older photo formats can be five times heavier than newer ones, so your homepage drags on a phone and Google notices. Most hosts and platforms can convert your images automatically.
Even if most visitors are on phones, a sluggish desktop experience hurts the customers most likely to fill out a long form, book a service, or buy something expensive.
Google quietly collects loading times from actual Chrome users on your site and uses that — not lab tests — to decide your search ranking. If real visitors are seeing slow pages, your rankings already feel it.
When every image loads at once, the top of your page stalls because the phone is busy fetching pictures nobody can see yet. Loading them as a visitor scrolls is a one-line fix that makes the first screen pop in faster.
If custom fonts aren't set up right, your headlines stay blank for a second or two — visitors see a flash of nothing where your name should be, then bounce. The fix is one line of code at the font.
A homepage that weighs several megabytes punishes anyone on cell service and silently knocks down your Google ranking. Usually the bulk is one giant hero image or a stack of unused plugins.
Themes and page builders often ship piles of features your site never uses, and the visitor's phone has to download all of it anyway. Trimming this is the single biggest speed win on most small-business sites.
The hidden tags that describe your business to Google only work if they're written correctly. A typo or wrong format and Google ignores them, so the stars, hours, and prices never show up next to your listing.
Those little 'Home > Services > Teeth Whitening' trails help Google understand how your pages connect, and they often appear right inside your search result. Without them, your listing looks plainer than competitors'.
When your FAQs are formatted the way Google likes, your answers can show up directly in search — sometimes before anyone even clicks. That's free real estate competitors are taking from you.
If you serve customers in more than one language or country, your site needs to tell Google which version is for whom. Otherwise a Spanish-speaking customer might land on your English page and bounce.
If a customer or Google has to click five or six times from your homepage to find a service or product page, most never make it. Important pages should be two or three clicks away, max.
A small file you can publish lets AI tools talk to your site directly — checking availability, prices, or booking. Without it, you're missing out as customers shift from Googling to asking ChatGPT.
When ChatGPT or Perplexity describes your business, they're pulling from the structured details on your site. The thinner those details, the more the AI guesses — and the more often it gets your hours, prices, or services wrong.
If anyone from the European Union or California can land on your site, the privacy laws there (GDPR and CCPA) require a banner that lets visitors say no to tracking. Fines start at thousands of dollars and the regulators don't warn you first.
Every state and country with a privacy law requires one, and Google, Apple, and Meta all refuse to run ads from sites without it. Missing this is the fastest way to get an ad account suspended or a lawyer's letter.
Without one, you have no written agreement with the people using your site — which makes refund disputes, chargebacks, and copied content much harder to fight. A basic version takes an afternoon and protects you for years.
Every analytics, ad, and chat tool you've added quietly shares your visitors' behavior with another company — and you're legally on the hook for what they do with it. Most small-business sites are running twice as many as the owner realizes.
California law requires a clearly labeled "Do Not Sell or Share My Personal Information" link in your footer if you have visitors from California and use ad or analytics tools. The state Attorney General has been actively fining small businesses for missing it.
Tools like Facebook Pixel and Google Ads quietly set tracking cookies the moment someone lands — often before they've agreed to anything. Under European and California law, that gap between landing and consent is what triggers fines.
Posting one signals to the courts and to disabled visitors that you're taking accessibility seriously, and it's the first thing a plaintiff's lawyer looks for when deciding whom to sue. Roughly 4,000 small businesses got accessibility lawsuits last year.
About one in four American adults has a disability the courts recognize, and your site is legally required to work for them under the Americans with Disabilities Act (ADA). Lawsuits over this hit small businesses every week, and most settle for $5,000 to $20,000.
Blind visitors use software that reads pages out loud, and it can only describe a photo if you've written a short caption behind it. Missing alt text is the single most common item cited in accessibility lawsuits — and Google uses the same text to understand your images.
Screen readers let blind visitors jump heading-to-heading the way you skim with your eyes — but only if the headings are nested in order. Out-of-order headings also confuse Google about what your page is actually about.
Pale-gray text on white is the single most-cited problem in accessibility lawsuits. It also loses customers over 50, who already squint at their phones.
When a button is just an icon — a magnifying glass, a hamburger menu, a shopping cart — a blind visitor's screen reader has nothing to announce unless someone added a hidden label. Without these, your contact form and checkout are unusable for them, and that's the kind of thing that ends up in a demand letter.
Visitors who navigate by keyboard instead of mouse — usually because of a motor or vision impairment — otherwise have to tab through every nav link on every page just to reach your content. It's a small link at the top, and it's checked in nearly every accessibility audit.
Plenty of customers still check Yelp before booking, especially for restaurants, salons, and home services. No listing — or worse, a listing with two angry reviews and no replies — sends them to the next result.
For online stores and B2B services, Trustpilot is often the first place a cautious buyer checks. An empty profile, or no profile at all, makes it easy to walk away from the purchase.
Older customers and people considering a big-ticket purchase still check the BBB. An accreditation badge — or just a clean profile — quietly answers the question 'is this business real and reachable if something goes wrong?'
B2B buyers, recruits, and reporters all check LinkedIn before reaching out. An empty page, or no page, makes you look smaller and less established than you actually are.
Bing powers search for millions of Windows users, ChatGPT search, and DuckDuckGo. Without a listing, you're invisible to all of them — and increasingly to AI tools that pull from Bing.
Every iPhone user who asks Siri for directions or searches Apple Maps is using this. If you're not listed, customers driving toward you literally can't find you.
Even customers who never use Facebook still click your Facebook page from Google to see if you're real and active. A page with no posts in two years says 'this business might be closed.'
If Instagram is where your photos and customer love live, your website should send people there. Hiding it costs you the easiest proof that you're a real, active business.
When this is set up, customers who use your site often can pin it to their home screen like an app — which keeps you a tap away instead of buried in a search. It's a small file, but a missing one signals an older build.
Modern sites can show a useful page even when a customer's phone briefly loses signal — like in an elevator or a bad reception area. Without it, they get a blank error and assume your site is broken.
If nothing's measuring which pages people visit, where they drop off, or which ad sent them, you're flying blind. You can't improve what you can't see.
If you sell anything, customers expect to pay on the site without a phone call or invoice email. Missing checkout means lost sales the moment they hesitate.
Email signup, automated follow-ups, abandoned-cart reminders — these turn one-time visitors into repeat customers. Without any of it, every visitor who isn't ready to buy today is gone for good.
A chat widget, help center, or contact form lets a customer ask a quick question at 9pm without picking up the phone. Without one, the question goes unanswered and so does the sale.
A tag manager is what lets a marketer add or fix tracking without breaking your site. Its absence usually means tracking was bolted on once and never touched again.
If you ever plan to run ads on Google, Facebook, or Instagram, the tracking pixels need to be in place before launch — not after. Without them, you can't tell which ads actually brought in customers.
Customers trust hello@yourbusiness.com a lot more than yourbusiness@gmail.com — the free address makes a real company look like a side hustle, and it's one of the fastest ways to lose a lead before they even reply.
We can usually tell whether your email is on Google Workspace, Microsoft 365, your web host, or something custom. The platform behind your email shapes how reliable it is, how well it filters spam, and how easy it is for a new employee to get an inbox.
When this is on, mail providers send you a daily summary of who tried to send email pretending to be your business — so you can spot impersonation attempts before customers do. Without it, scammers can spoof you for months and you'd never know.
Listing a Gmail, Yahoo, or Outlook address on your contact page makes your business look smaller and less established than it really is. A simple address at your own domain — even if it just forwards to that same inbox — instantly looks more legitimate.
An email signup form lets a curious visitor become a future customer instead of a one-time tab close. For most local businesses this is the single cheapest way to bring people back without paying for ads every time.
If your business sends marketing email, doing it through a service like Mailchimp or Klaviyo (instead of from your personal inbox) is what keeps you out of spam folders and out of legal trouble with unsubscribe rules.
Order confirmations, password resets, and appointment reminders need to land in the inbox every single time. Sending them through a dedicated service — instead of straight from your website — is the difference between customers getting their receipt and them calling you confused.
There's a behind-the-scenes ceiling on how many email tools can be authorized to send as your business at once. When you add too many — newsletter, booking, invoicing, helpdesk — you quietly cross the line and all of them start landing in spam.
A visible 'get in touch' form is the easiest way to turn a curious visitor into a lead. If finding one takes more than a few seconds, most people just close the tab.
On a phone, tapping an email address should open the mail app with everything pre-filled. When it's just text someone has to copy and paste, half of them give up.
Instead of having a real inbox at your domain, mail to your address is being bounced over to a personal Gmail or Yahoo account. It works, but it's fragile — replies often look broken to customers, and the setup tends to fall apart as your business grows.
A free guide, checklist, discount, or sample turns a stranger browsing your site into a contact you can follow up with later. Without one, most visitors leave without a trace and you have no way to win them back.
Inside every encrypted connection there's a recipe — newer recipes are bank-grade, older ones have known weaknesses. If your server still falls back to the old ones, security scanners and cyber-insurance audits will flag it.
If someone ever steals your server's master key, well-built encryption still protects every conversation that happened before the theft. Without it, an attacker who quietly recorded traffic for years can suddenly read all of it.
The certificate behind your padlock is signed with a kind of math that has to keep up with the times. Old, short keys are being phased out — sites still using them will start showing warnings in browsers.
Browsers can usually paper over a half-installed certificate, but phones, apps, and older email clients can't — they'll show an error and refuse to connect. This is one of the most common silently-broken setups on the web.
A small efficiency where your server checks once that the certificate is still valid and shares the answer with everyone, instead of every visitor's browser making its own trip across the internet to ask. Faster page loads, better privacy.
Every legitimate certificate today gets recorded in a public ledger so fake ones get caught quickly. Browsers refuse to trust certificates that skip this step, and yours needs at least two log entries to clear the bar.
Hides which website a visitor is opening from coffee-shop WiFi, corporate proxies, and government censors. It's a newer feature, so having it on is a real sign your site is keeping up with the modern web.
Researchers worry that quantum computers, when they arrive, could crack today's encrypted recordings after the fact. The newest encryption recipes already protect against that — and Chrome and Cloudflare turned them on in 2024.
Short-lived certificates that auto-renew are the new normal — they prove your renewal automation works and limit the damage if a key ever leaks. Multi-year certificates from old paid vendors are increasingly seen as a smell.
An advanced setting that tells browsers to refuse the connection if the freshness check on your certificate goes missing, instead of quietly accepting it. Rarely turned on — when it is, it's a clear sign someone competent runs the server.
Some certificate vendors have been kicked out of browsers in the past for sloppy practices. Sticking with a well-known name — Let's Encrypt, DigiCert, Cloudflare, Google, Sectigo — means your padlock keeps working on every device for years.
Before a page can even start loading, the browser and server have a quick back-and-forth to set up the encrypted connection. When that takes too long, every first-time visitor feels the lag — and Google notices it too.