nsuartmuseum.org
Nonprofit site, served through Cloudflare, with email running through microsoft.
AI-readiness30Needs work
JSON-LD richness score for LLMs
We couldn't find any organization details in your page's structured data.
3 additional standards didn't apply to this category
SEO58Solid
Schema.org structured data presence
Your homepage doesn't publish any Schema.org structured data. Search engines and AI tools fall back to guessing what your site is — and they guess wrong more often than not.
Schema.org type validity (parsed JSON-LD)
We didn't find any structured-data tags on your homepage.
No breadcrumb schema is published. Search engines can't show breadcrumb trails under your listings, and visitors lose the trail to important pages.
Title, meta description, OG, Twitter cards, canonical
Your homepage is missing one or more of the standard social-share and search-preview tags.
Your homepage has a clear H1 heading — search engines and screen readers know what the page is about.
Internal link depth (clicks from homepage to deepest content)
Important pages are reachable in just a click or two from your homepage.
5 additional standards didn't apply to this category
Performance60Solid
Your server still serves over the older HTTP/2 protocol — not the newer, faster HTTP/3.
Image optimization (WebP/AVIF)
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
Lazy loading on below-fold images
Images below the fold aren't lazy-loaded — visitors download them up front even if they never scroll that far.
Font loading strategy (FOUT/FOIT/swap)
Your fonts aren't using font-display: swap. Visitors see invisible text for a moment while the font downloads — Google penalises this.
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
7 additional standards didn't apply to this category
Privacy70Excellent
Terms of service page presence
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
Your homepage loads a reasonable number of third-party services — clean privacy footprint.
3 additional standards didn't apply to this category
Accessibility70Excellent
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
ARIA labels presence and validity
Interactive elements (buttons, form fields, custom widgets) are missing ARIA labels or roles. Screen reader users don't know what they do.
Your accessibility statement page is published — visitors can find out what standards you commit to.
Every image on your homepage has alt text — screen readers can describe them.
Text on your homepage meets WCAG AA contrast minimums — readable by visitors with low vision.
1 additional standard didn't apply to this category
Security83Excellent
WordPress REST API user enumeration exposure
Your WordPress site exposes its user list through the REST API. Attackers can enumerate every account by username — the first half of any credential-stuffing attack is already done for them.
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Embedded SCT count (Certificate Transparency)
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
Certificate validity-period brevity
Your certificate lifetime is on the longer end (> 90 days). ACME-class certs renew every 60-90 days and rotate cleanly.
SSL certificate validity & expiration window
Your SSL certificate is valid and not close to expiring.
Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)
None of the common admin or developer paths are publicly reachable.
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
Modern cipher suite preference
The handshake negotiates a modern AEAD cipher (AES-GCM or ChaCha20-Poly1305).
Forward secrecy is guaranteed by the negotiated handshake — past traffic stays unreadable even if your key leaks.
Certificate key strength and signature algorithm
Your certificate uses strong modern math (ECDSA P-256+ or RSA-2048+ with SHA-256+).
Certificate chain completeness
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Your server staples a fresh OCSP response — visitors don't have to round-trip to the CA on first connect.
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your TLS handshake completes quickly — under 300ms on a cold connection.
6 additional standards didn't apply to this category
Email health85Excellent
Lead magnet / signup incentive detected (free download, ebook, etc.)
We didn't find a lead magnet on your homepage — no free download, sample, or signup incentive. Visitors who aren't ready to buy have nothing to take with them.
Mailto: direct contact link present
We couldn't find a tap-to-email link anywhere on your site.
DMARC is enforcing — spoofed mail from your domain gets quarantined or rejected.
SPF is set and lists your sending services as approved senders.
Branded domain email address (vs free Gmail/Yahoo)
You send email from your own domain, not a free Gmail/Yahoo address.
Email provider class (Workspace / 365 / Zoho / self-hosted / shared)
provider=microsoft_365, mx=nsuartmuseum-org.mail.protection.outlook.com, source=mx_classifier
DMARC aggregate reporting enabled (rua=)
You're set up to receive daily DMARC reports of spoofing attempts.
Free-email exposure on contact page (gmail/yahoo/outlook visible)
Your published contact address is on your own domain, not a free inbox.
Newsletter signup form detected
Your homepage exposes a newsletter or signup form — visitors can subscribe without leaving the page.
Email Service Provider (ESP) detected
Your Email Service Provider is detectable — newsletters and marketing email have a real sending platform behind them.
SPF lookup count (10-limit deliverability check)
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
Email forwarding service detected (improvmx, forwardemail, etc.)
Mail to this domain is being forwarded — you have working email reachability.
3 additional standards didn't apply to this category
Brand presence90Excellent
Wayback Machine site age & last snapshot
Your site has been online for years — public archives have a long history of it.
tools=Google Analytics, count=1, first_party_telemetry=navigator\.sendBeacon\s*\(
13 additional standards didn't apply to this category
View formal standards verdicts → Composite-spec rollups for press, regulators, and compliance auditors.
14 additional standards planned, scorer not yet implemented.
Can people find this site?54Needs work
Hidden labels that explain your business to Google
Your homepage doesn't publish any Schema.org structured data. Search engines and AI tools fall back to guessing what your site is — and they guess wrong more often than not.
Whether your behind-the-scenes labels are valid
We didn't find any structured-data tags on your homepage.
A trail showing where visitors are on your site
No breadcrumb schema is published. Search engines can't show breadcrumb trails under your listings, and visitors lose the trail to important pages.
How well your site feeds AI the right facts
We couldn't find any organization details in your page's structured data.
How your site appears when shared or in search results
Your homepage is missing one or more of the standard social-share and search-preview tags.
A clear headline on every page
Your homepage has a clear H1 heading — search engines and screen readers know what the page is about.
How easy it is to reach your deepest pages
Important pages are reachable in just a click or two from your homepage.
8 additional standards didn't apply to this site
Is it fast?60Solid
Your site uses the newest connection style
Your server still serves over the older HTTP/2 protocol — not the newer, faster HTTP/3.
Your photos are saved in modern formats
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
Photos lower on the page wait their turn
Images below the fold aren't lazy-loaded — visitors download them up front even if they never scroll that far.
Your text shows up while fonts load
Your fonts aren't using font-display: swap. Visitors see invisible text for a moment while the font downloads — Google penalises this.
Pages get squeezed before they're sent
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
7 additional standards didn't apply to this site
Does it respect visitor privacy?70Excellent
You have a terms of service page
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
How many outside companies you let watch your visitors
Your homepage loads a reasonable number of third-party services — clean privacy footprint.
3 additional standards didn't apply to this site
Can everyone use it?70Excellent
Your headings are in a sensible order
Your heading levels skip — for example, an H1 followed by an H3 with no H2 in between. Screen reader users lose the outline of the page.
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
Your buttons and forms are labeled for screen readers
Interactive elements (buttons, form fields, custom widgets) are missing ARIA labels or roles. Screen reader users don't know what they do.
You have an accessibility statement
Your accessibility statement page is published — visitors can find out what standards you commit to.
Your photos have written descriptions
Every image on your homepage has alt text — screen readers can describe them.
Text on your homepage meets WCAG AA contrast minimums — readable by visitors with low vision.
1 additional standard didn't apply to this site
Is it safe to visit?83Excellent
WordPress isn't leaking your usernames
Your WordPress site exposes its user list through the REST API. Attackers can enumerate every account by username — the first half of any credential-stuffing attack is already done for them.
Strict mode for your padlock check
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Your certificate is publicly logged
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
Your padlock renews on a healthy schedule
Your certificate lifetime is on the longer end (> 90 days). ACME-class certs renew every 60-90 days and rotate cleanly.
Your padlock isn't about to expire
Your SSL certificate is valid and not close to expiring.
Private files aren't open to the public
None of the common admin or developer paths are publicly reachable.
Old TLS versions are turned off
Only modern TLS (1.2 and above) is offered — TLS 1.0 and 1.1 are turned off.
The padlock uses strong, modern math
The handshake negotiates a modern AEAD cipher (AES-GCM or ChaCha20-Poly1305).
Old recordings stay locked even if a key leaks
Forward secrecy is guaranteed by the negotiated handshake — past traffic stays unreadable even if your key leaks.
Your padlock isn't using outdated keys
Your certificate uses strong modern math (ECDSA P-256+ or RSA-2048+ with SHA-256+).
Your padlock loads cleanly on every device
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Visitors connect faster on the first click
Your server staples a fresh OCSP response — visitors don't have to round-trip to the CA on first connect.
Your padlock comes from a reputable vendor
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your site finishes its handshake quickly
Your TLS handshake completes quickly — under 300ms on a cold connection.
6 additional standards didn't apply to this site
Does this look like a real business?85Excellent
Whether anyone's written about you lately
No news mentions of this domain in the last 30 days.
How long your site has been online
Your site has been online for years — public archives have a long history of it.
A contact form people can actually find
A visible contact form is reachable from your homepage.
8 additional standards didn't apply to this site
Is email from this domain trustworthy?87Excellent
A clickable email link on your site
We couldn't find a tap-to-email link anywhere on your site.
Stops scammers from emailing customers as you
DMARC is enforcing — spoofed mail from your domain gets quarantined or rejected.
Lists who's allowed to email as your business
SPF is set and lists your sending services as approved senders.
You email from your own domain, not Gmail
You send email from your own domain, not a free Gmail/Yahoo address.
What's actually running your email
provider=microsoft_365, mx=nsuartmuseum-org.mail.protection.outlook.com, source=mx_classifier
You get reports when someone fakes your email
You're set up to receive daily DMARC reports of spoofing attempts.
A real tool for sending newsletters
Your Email Service Provider is detectable — newsletters and marketing email have a real sending platform behind them.
Your email setup is under a hidden limit
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
Your email is being forwarded, not hosted
Mail to this domain is being forwarded — you have working email reachability.
3 additional standards didn't apply to this site