therosewinebar.com
Site site based in California, the United States, served through cloudflare, with email running through google.
AI-readiness30Needs work
JSON-LD richness score for LLMs
We couldn't find any organization details in your page's structured data.
3 additional standards didn't apply to this category
Privacy36Needs work
No privacy policy page found. Required by GDPR, CCPA, and most app store listings.
Terms of service page presence
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
CCPA "Do Not Sell or Share My Personal Information" link
No CCPA "Do Not Sell or Share My Personal Information" link found. If you have California visitors and sell or share data, this is required.
Cookie scan — actual cookies set on first load
Your homepage sets non-essential cookies before the visitor consents. Under GDPR this is non-compliant — cookies should fire only after explicit opt-in.
Your homepage loads a moderate number of third-party trackers. Worth auditing what each one is for.
1 additional standard didn't apply to this category
Security74Excellent
There's no CAA record at your registrar saying which companies are allowed to issue certificates for you.
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Certificate key strength and signature algorithm
Your certificate uses outdated key strength or a SHA-1 signature. Reissue with a modern ACME-class cert.
Embedded SCT count (Certificate Transparency)
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
Only classical key exchange is offered. Today's traffic could be decrypted later if a quantum computer recovers the key.
SSL certificate validity & expiration window
Your SSL certificate is valid and not close to expiring.
Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)
None of the common admin or developer paths are publicly reachable.
Modern cipher suite preference
The handshake negotiates a modern AEAD cipher (AES-GCM or ChaCha20-Poly1305).
Forward secrecy is guaranteed by the negotiated handshake — past traffic stays unreadable even if your key leaks.
Certificate chain completeness
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Certificate validity-period brevity
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your TLS handshake completes quickly — under 300ms on a cold connection.
5 additional standards didn't apply to this category
Performance77Excellent
Image optimization (WebP/AVIF)
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
Lazy loading on below-fold images
Images below the fold aren't lazy-loaded — visitors download them up front even if they never scroll that far.
Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS)
Your homepage is mid-pack on mobile. Reasonable but Google's ranking signal rewards faster sites.
Your homepage loads fast on desktop — Google's ranking signal is in the green.
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
Core Web Vitals from CrUX (Real User Monitoring)
Real visitors report fast loads in Chrome User Experience data — your live performance is genuinely good.
Font loading strategy (FOUT/FOIT/swap)
Your fonts swap in cleanly — text is readable in the system font while custom fonts download.
3 additional standards didn't apply to this category
SEO77Excellent
Title, meta description, OG, Twitter cards, canonical
Your homepage is missing one or more of the standard social-share and search-preview tags.
Encrypted Client Hello isn't offered. The hostname is visible in plaintext during the handshake.
Schema.org structured data presence
Your homepage publishes Schema.org structured data — search engines and AI tools can read what your site is directly.
Your homepage has a clear H1 heading — search engines and screen readers know what the page is about.
Schema.org type validity (parsed JSON-LD)
Your structured-data tags parse cleanly against Schema.org.
Internal link depth (clicks from homepage to deepest content)
Important pages are reachable in just a click or two from your homepage.
5 additional standards didn't apply to this category
Brand presence80Excellent
Google Business Profile presence + rating
We couldn't find a Google Business Profile linked to this domain.
Wayback Machine site age & last snapshot
Your site has been online for years — public archives have a long history of it.
Instagram presence (link from site → IG profile)
Your Instagram profile is linked from your site.
count=0, first_party_telemetry=navigator\.sendBeacon\s*\(|\bperformance\.mark\s*\(
12 additional standards didn't apply to this category
Email health82Excellent
No MTA-STS or TLS-RPT policy is published — incoming mail could be downgraded to plaintext.
Lead magnet / signup incentive detected (free download, ebook, etc.)
We didn't find a lead magnet on your homepage — no free download, sample, or signup incentive. Visitors who aren't ready to buy have nothing to take with them.
You have DMARC set up, but in monitor-only mode — it's not actually rejecting spoofed mail.
SPF is set and lists your sending services as approved senders.
Branded domain email address (vs free Gmail/Yahoo)
You send email from your own domain, not a free Gmail/Yahoo address.
DMARC aggregate reporting enabled (rua=)
You're set up to receive daily DMARC reports of spoofing attempts.
Free-email exposure on contact page (gmail/yahoo/outlook visible)
Your published contact address is on your own domain, not a free inbox.
SPF lookup count (10-limit deliverability check)
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
Mailto: direct contact link present
Your site exposes a mailto: link visitors can tap to start a message.
Email forwarding service detected (improvmx, forwardemail, etc.)
Mail to this domain is being forwarded — you have working email reachability.
5 additional standards didn't apply to this category
Accessibility88Excellent
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
axe-core / WAVE accessibility scan
Your homepage passes automated accessibility checks — no obvious blockers for screen readers or keyboard users.
Every image on your homepage has alt text — screen readers can describe them.
Your heading levels are properly nested — H1, then H2s, then H3s — and screen readers can navigate the outline.
Text on your homepage meets WCAG AA contrast minimums — readable by visitors with low vision.
ARIA labels presence and validity
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
1 additional standard didn't apply to this category
View formal standards verdicts → Composite-spec rollups for press, regulators, and compliance auditors.
18 additional standards planned, scorer not yet implemented.
Does it respect visitor privacy?36Needs work
You have a privacy policy page
No privacy policy page found. Required by GDPR, CCPA, and most app store listings.
You have a terms of service page
No terms of service page found. Without one, you have no contractual basis for the relationship with your visitors.
California privacy opt-out link
No CCPA "Do Not Sell or Share My Personal Information" link found. If you have California visitors and sell or share data, this is required.
What your site actually drops on visitors' phones
Your homepage sets non-essential cookies before the visitor consents. Under GDPR this is non-compliant — cookies should fire only after explicit opt-in.
How many outside companies you let watch your visitors
Your homepage loads a moderate number of third-party trackers. Worth auditing what each one is for.
1 additional standard didn't apply to this site
Does this look like a real business?53Needs work
Your listing on Google Maps and search
We couldn't find a Google Business Profile linked to this domain.
A contact form people can actually find
We couldn't find a visible contact form on your homepage.
How long your site has been online
Your site has been online for years — public archives have a long history of it.
9 additional standards didn't apply to this site
Can people find this site?70Excellent
How your site appears when shared or in search results
Your homepage is missing one or more of the standard social-share and search-preview tags.
Visitor privacy on hostile networks
Encrypted Client Hello isn't offered. The hostname is visible in plaintext during the handshake.
How well your site feeds AI the right facts
We couldn't find any organization details in your page's structured data.
Hidden labels that explain your business to Google
Your homepage publishes Schema.org structured data — search engines and AI tools can read what your site is directly.
A clear headline on every page
Your homepage has a clear H1 heading — search engines and screen readers know what the page is about.
Whether your behind-the-scenes labels are valid
Your structured-data tags parse cleanly against Schema.org.
How easy it is to reach your deepest pages
Important pages are reachable in just a click or two from your homepage.
8 additional standards didn't apply to this site
Is it safe to visit?74Excellent
Only your approved vendors can issue your padlock
There's no CAA record at your registrar saying which companies are allowed to issue certificates for you.
Visitors connect faster on the first click
Your server doesn't staple OCSP. Visitors' browsers may have to contact the CA themselves, slowing first connects.
Strict mode for your padlock check
Neither OCSP stapling nor Must-Staple is in play. A revoked cert wouldn't be caught quickly.
Your padlock isn't using outdated keys
Your certificate uses outdated key strength or a SHA-1 signature. Reissue with a modern ACME-class cert.
Your certificate is publicly logged
Your certificate carries only one embedded SCT — modern browsers want at least two. Reissue from a CA that includes them.
Future-proof against tomorrow's computers
Only classical key exchange is offered. Today's traffic could be decrypted later if a quantum computer recovers the key.
Your padlock isn't about to expire
Your SSL certificate is valid and not close to expiring.
Private files aren't open to the public
None of the common admin or developer paths are publicly reachable.
The padlock uses strong, modern math
The handshake negotiates a modern AEAD cipher (AES-GCM or ChaCha20-Poly1305).
Old recordings stay locked even if a key leaks
Forward secrecy is guaranteed by the negotiated handshake — past traffic stays unreadable even if your key leaks.
Your padlock loads cleanly on every device
Your server sends the full certificate chain — every device builds the path to a trusted root cleanly.
Your padlock renews on a healthy schedule
Your certificate uses a short validity window (≤ 90 days) — auto-renewal keeps revocation fast and frictionless.
Your padlock comes from a reputable vendor
Your certificate is issued by a tier-1 publicly trusted CA (Let's Encrypt, DigiCert, Google Trust, Sectigo, etc.).
Your site finishes its handshake quickly
Your TLS handshake completes quickly — under 300ms on a cold connection.
5 additional standards didn't apply to this site
Is it fast?77Excellent
Your photos are saved in modern formats
Your images are served as JPEG or PNG when modern formats (WebP, AVIF) would cut their size by 30–60% with no visible loss.
Photos lower on the page wait their turn
Images below the fold aren't lazy-loaded — visitors download them up front even if they never scroll that far.
How fast your site loads on a phone
Your homepage is mid-pack on mobile. Reasonable but Google's ranking signal rewards faster sites.
How fast your site loads on a laptop
Your homepage loads fast on desktop — Google's ranking signal is in the green.
Your site uses a modern web connection
Your server speaks HTTP/2 — page loads multiplex over a single connection.
Pages get squeezed before they're sent
Your server compresses pages with Brotli or gzip — visitors download a fraction of the raw size.
How real visitors actually experience your speed
Real visitors report fast loads in Chrome User Experience data — your live performance is genuinely good.
Your text shows up while fonts load
Your fonts swap in cleanly — text is readable in the system font while custom fonts download.
3 additional standards didn't apply to this site
Is email from this domain trustworthy?86Excellent
Keeps your email private in transit
No MTA-STS or TLS-RPT policy is published — incoming mail could be downgraded to plaintext.
Stops scammers from emailing customers as you
You have DMARC set up, but in monitor-only mode — it's not actually rejecting spoofed mail.
Lists who's allowed to email as your business
SPF is set and lists your sending services as approved senders.
You email from your own domain, not Gmail
You send email from your own domain, not a free Gmail/Yahoo address.
You get reports when someone fakes your email
You're set up to receive daily DMARC reports of spoofing attempts.
Your email setup is under a hidden limit
Your SPF record uses fewer than 10 DNS lookups — under the spec limit.
A clickable email link on your site
Your site exposes a mailto: link visitors can tap to start a message.
Your email is being forwarded, not hosted
Mail to this domain is being forwarded — you have working email reachability.
4 additional standards didn't apply to this site
Can everyone use it?88Excellent
No skip-to-content link is published. Keyboard users have to tab through every nav item on every page before reaching the content.
Your site works for visitors with disabilities
Your homepage passes automated accessibility checks — no obvious blockers for screen readers or keyboard users.
Your photos have written descriptions
Every image on your homepage has alt text — screen readers can describe them.
Your headings are in a sensible order
Your heading levels are properly nested — H1, then H2s, then H3s — and screen readers can navigate the outline.
Text on your homepage meets WCAG AA contrast minimums — readable by visitors with low vision.
Your buttons and forms are labeled for screen readers
Interactive elements have proper ARIA labels — screen reader users get a clear description of each control.
1 additional standard didn't apply to this site