/ / d / thesmokinggunsd.com / standards
Standards compliance · thesmokinggunsd.com
0/0 applicable standards satisfied ·100 not applicable
Security
| Standard | Verdict | Factors | Note |
|---|---|---|---|
| Modern HTTP security headers OWASP · OWASP Secure Headers Project | n/a | — | Every site over HTTPS — which by 2026 is every site. |
| HSTS Preload Chromium / Google · Chromium preload list | n/a | — | Sites that have committed to HTTPS-only forever (preload removal can take months). |
| TLS 1.2+ baseline IETF · RFC 5246 / RFC 8446 | n/a | — | Every HTTPS endpoint. |
| DNSSEC IETF · RFC 4033–4035 | n/a | — | High-trust domains — gov, finance, healthcare, email at scale. |
| CAA records IETF · RFC 8659 | n/a | — | Every domain with HTTPS. |
| Valid SSL certificate CA/Browser Forum · CA/Browser Forum Baseline | n/a | — | Every HTTPS endpoint. |
| Forward secrecy IETF · TLS 1.3 mandatory | n/a | — | Every HTTPS endpoint. |
| Content Security Policy Level 3 W3C · W3C Working Draft | n/a | — | Every site rendering HTML — defense-in-depth against script injection. |
| Subresource Integrity W3C · W3C Recommendation | n/a | — | Any site loading scripts or stylesheets from a third-party CDN. |
| Cross-Origin isolation (COOP / COEP / CORP) WHATWG / W3C · HTML Living Standard | n/a | — | Sites using cross-origin isolated APIs, or hardening top-level pages against cross-window attacks. |
| Permissions-Policy W3C · W3C Working Draft | n/a | — | Every site — the default-deny posture is one line of config. |
| Referrer-Policy W3C · W3C Candidate Recommendation | n/a | — | Every site that ever sends an outbound request. |
| X-Frame-Options + frame-ancestors IETF / W3C · RFC 7034 / CSP frame-ancestors | n/a | — | Any site with login, payment, or sensitive forms — but cheap enough to deploy everywhere. |
| X-Content-Type-Options: nosniff WHATWG · Fetch Standard | n/a | — | Every HTTP response. |
| HTTP Strict Transport Security IETF · RFC 6797 | n/a | — | Every HTTPS site — the base header is safe, preload is the irreversible commitment. |
| security.txt IETF · RFC 9116 | n/a | — | Every site — research disclosures arrive whether you invited them or not. |
| PCI DSS v4.0 PCI Security Standards Council · 4.0.1 | n/a | — | Every site touching payment card data — including iframes and redirects to payment processors. |
| SOC 2 (Type I & Type II) AICPA · AICPA Trust Services Criteria | n/a | — | B2B SaaS, hosting, and any service organization holding customer data on behalf of enterprises. |
| ISO/IEC 27001:2022 ISO/IEC · 2022 | n/a | — | Organizations selling to European or international enterprise buyers, or operating in regulated industries. |
| NIST Cybersecurity Framework 2.0 NIST · 2.0 | n/a | — | US-based organizations, federal contractors, or anyone needing a cross-walk between security frameworks. |
| OWASP Top 10 (2025) OWASP Foundation · 2025 | n/a | — | Every web application — the Top 10 is the baseline, not the ceiling. |
| DANE for SMTP IETF · RFC 7672 | n/a | — | Domains with DNSSEC that send or receive mail with high-trust counterparties (gov, EU, finance). |
| TLS 1.3 IETF · RFC 8446 | n/a | — | Every HTTPS endpoint — modern stacks support it; legacy stacks should be on the migration list. |
| OCSP Stapling IETF · RFC 6066 status_request | n/a | — | Every HTTPS endpoint — usually a one-flag origin or CDN setting. |
| Certificate Transparency IETF · RFC 6962 / RFC 9162 | n/a | — | Every publicly-trusted certificate — automatic via your CA, but worth monitoring. |
Performance
| Standard | Verdict | Factors | Note |
|---|---|---|---|
| Core Web Vitals Google · 2024 thresholds | n/a | — | Every public-facing site that wants Google traffic or conversions. |
| HTTP/2 IETF · RFC 9113 | n/a | — | Every public site. |
| HTTP/3 IETF · RFC 9114 | n/a | — | Sites with mobile-heavy or international audiences. |
| Brotli / gzip compression IETF · RFC 7932 / RFC 1952 | n/a | — | Every HTTP response with text content. |
| font-display: swap W3C CSS WG · CSS Fonts Module Level 4 | n/a | — | Every site loading custom web fonts. |
| Resource hints (preconnect / preload / prefetch / dns-prefetch) WHATWG · WHATWG HTML Living Standard | n/a | — | Every site with third-party origins or a known above-fold critical asset. |
| Modern image formats (WebP / AVIF) Per-format spec · MDN reference | n/a | — | Every site serving images — which is most. |
| Interaction to Next Paint (INP) Google · Core Web Vital (March 2024) | n/a | — | Every interactive site — i.e. every site. |
| Largest Contentful Paint (LCP) Google · Core Web Vital | n/a | — | Every public-facing site. |
| Speed Index Google / Catchpoint · Lighthouse / WebPageTest | n/a | — | Sites optimizing perceived performance, not just numerical milestones. |
SEO
| Standard | Verdict | Factors | Note |
|---|---|---|---|
| Schema.org structured data Schema.org / W3C · Latest | n/a | — | Every public-facing site that wants discoverability. |
| robots.txt + sitemap.xml IETF / Sitemaps.org · RFC 9309 / sitemaps.org | n/a | — | Every public-facing site. |
| Open Graph + Twitter Cards Meta / X · Open Graph 2010 / Twitter Cards | n/a | — | Every site whose links get shared anywhere. |
| Heading hierarchy WHATWG · HTML Living Standard | n/a | — | Every public-facing HTML page. |
| Canonical URLs IETF / Google · RFC 6596 + Google canonicalization | n/a | — | Every public site — but especially e-commerce, paginated archives, and multi-region sites. |
| hreflang Google · Google Search Central | n/a | — | Multi-language or multi-region sites — anyone serving distinct content per locale. |
| Robots meta + X-Robots-Tag Google · Google Search Central | n/a | — | Every site with internal pages, staging environments, or non-HTML assets that shouldn't be in search. |
| Mobile viewport meta tag WHATWG / Google · WHATWG / Google mobile-friendly | n/a | — | Every public site that wants Google traffic — which is to say, every public site. |
| BreadcrumbList structured data Schema.org / Google · schema.org / Google | n/a | — | Any site with a content hierarchy more than two levels deep. |
| FAQ / HowTo structured data Schema.org / Google · schema.org (rich results deprecated) | n/a | — | Sites with substantial Q&A or instructional content — gov / health for FAQ rich results, others for general AI/structured-data signal. |
| Google Search Essentials Google · 2022 (replaces Webmaster Guidelines) | n/a | — | Every site that wants Google traffic. |
AI-readiness
| Standard | Verdict | Factors | Note |
|---|---|---|---|
| llms.txt Answer.AI / community · Draft (2024) | n/a | — | Every site that wants to be cited well by AI assistants. |
| AI crawler permissions Per-vendor · robots.txt convention | n/a | — | Every site that has an opinion about AI training and citation. |
| C2PA Content Credentials Coalition for Content Provenance and Authenticity · 2.1 (Sep 2024) | n/a | — | Publishers, photographers, video producers, and any site whose authenticity matters for trust or compliance. |
| ai.txt Spawning / community · Draft (Spawning) | n/a | — | Publishers who care about how their content is used in AI training, not just whether it's crawled. |
| ai-plugin.json (well-known plugin manifest) OpenAI · v1 (OpenAI plugins, 2023) | n/a | — | Sites with public APIs that want to be agent-discoverable. |
| IETF AI Preferences (aipref) IETF · Working draft (target Aug 2026) | n/a | — | Anyone tracking AI policy or building tooling around training opt-outs. |
| llms-full.txt Answer.AI / community · Community convention (2024–) | n/a | — | Documentation sites and any content-heavy site that wants AI assistants to cite it accurately. |
Privacy
| Standard | Verdict | Factors | Note |
|---|---|---|---|
| GDPR European Commission · Regulation (EU) 2016/679 | n/a | — | Applies wherever EU residents' personal data is processed — effectively any site with EU traffic that uses analytics or tracking. |
| CCPA / CPRA California Privacy Protection Agency · CPRA Amendment (2023) | n/a | — | California residents — but most sites with U.S. traffic encounter California users, so default to applying it. |
| Cookie consent baseline European Commission · ePrivacy Directive 2002/58/EC | n/a | — | Any site with EU traffic, plus increasingly any site claiming to respect user privacy. |
| HIPAA U.S. Department of Health & Human Services (Office for Civil Rights) · 45 CFR Parts 160 & 164 | n/a | — | U.S. healthcare providers, health plans, clearinghouses, and their business associates — anyone whose site touches protected health information. |
| COPPA U.S. Federal Trade Commission · 16 CFR Part 312 (2025 amendments) | n/a | — | U.S. sites directed at children under 13, and any general-audience site with actual knowledge it is collecting from children. |
| LGPD Autoridade Nacional de Proteção de Dados (ANPD) · Lei nº 13.709/2018 | n/a | — | Brazilian residents — applies extraterritorially to sites processing their personal data regardless of where the operator is located. |
| PIPEDA Office of the Privacy Commissioner of Canada (OPC) · S.C. 2000, c. 5 | n/a | — | Commercial activity in Canada — federally regulated everywhere; private-sector everywhere except where a substantially-similar provincial law applies. |
| POPIA Information Regulator (South Africa) · Act 4 of 2013 | n/a | — | South African residents — applies to any responsible party that is domiciled in South Africa or that processes personal information using means located there. |
| Australian Privacy Act + APPs Office of the Australian Information Commissioner (OAIC) · Privacy Act 1988 (Cth) — 2024 amendments | n/a | — | Australian residents — applies to APP entities (most organisations with >A$3M turnover) and to overseas businesses with an Australian link. |
| Quebec Law 25 Commission d'accès à l'information du Québec (CAI) · Bill 64 (2021), final phase 22 Sept 2024 | n/a | — | Quebec residents specifically — Law 25 displaces PIPEDA in Quebec for private-sector commercial activity. |
| Virginia CDPA Virginia Office of the Attorney General · Va. Code §§ 59.1-575 et seq. | n/a | — | Virginia residents — applies to controllers processing 100K+ Virginia consumers, or 25K+ where 50%+ of revenue comes from selling personal data. |
| Colorado Privacy Act Colorado Attorney General · Colo. Rev. Stat. §§ 6-1-1301 et seq. | n/a | — | Colorado residents — applies to controllers processing 100K+ Colorado consumers, or 25K+ where any revenue is derived from selling personal data. |
| Connecticut Data Privacy Act Connecticut Attorney General · Conn. Gen. Stat. §§ 42-515 et seq. | n/a | — | Connecticut residents — applies to controllers processing 100K+ Connecticut consumers, or 25K+ where 25%+ of revenue is from selling personal data. |
| Utah Consumer Privacy Act Utah Department of Commerce — Division of Consumer Protection · Utah Code Title 13, Chapter 61 | n/a | — | Utah residents — applies to controllers with $25M+ annual revenue that process 100K+ Utah consumers (or 25K+ if 50%+ of revenue is from selling personal data). |
| Texas Data Privacy and Security Act Texas Office of the Attorney General · Tex. Bus. & Com. Code Ch. 541 | n/a | — | Texas residents — applies to anyone conducting business in Texas or producing products/services consumed by Texas residents that processes personal data and is not an SBA-defined small business. |
| Oregon Consumer Privacy Act Oregon Department of Justice · ORS 646A.570–646A.589 | n/a | — | Oregon residents — applies to controllers processing 100K+ Oregon consumers, or 25K+ where 25%+ of revenue is from selling personal data; nonprofits are included as of 1 July 2025. |
| EU ePrivacy Regulation (withdrawn) European Commission · COM(2017) 10 final — withdrawn 2025 | n/a | — | Would have applied to providers of electronic communications services and websites with EU users — but the proposal was withdrawn before adoption. |
Accessibility
| Standard | Verdict | Factors | Note |
|---|---|---|---|
| WCAG 2.2 Level AA W3C · 2.2 | n/a | — | Applies to every public-facing website. Personal one-pagers excepted only when no commercial activity occurs. |
| WCAG 2.2 Level A W3C · 2.2 | n/a | — | Applies to every public-facing website. |
| Section 508 U.S. Access Board · Refresh 2018 | n/a | — | Applies to federal agencies (.gov) and any vendor selling electronic content to the U.S. government. |
| European Accessibility Act European Commission · Directive (EU) 2019/882 | n/a | — | Applies to e-commerce, banking, ICT, transport-ticketing, and digital services in the EU as of June 2025. |
| ADA Title III (digital) U.S. Department of Justice · Public Accommodation | n/a | — | U.S. consumer-facing websites of businesses considered places of public accommodation. |
| WCAG 2.1 Level AA W3C · 2.1 | n/a | — | Operative wherever a regulation cites WCAG 2.1 by name — currently the EU (EAA, EN 301 549), UK (PSBAR), France (RGAA), Germany (BITV 2.0), and others. |
| WCAG 2.1 Level A W3C · 2.1 | n/a | — | Applies wherever a regulation explicitly cites WCAG 2.1 Level A. |
| Accessibility for Ontarians with Disabilities Act Ministry for Seniors and Accessibility (Ontario) · 2005 (IASR) | n/a | — | Public-sector organizations of any size and private/nonprofit organizations with 50+ employees operating in Ontario. |
| Accessible Canada Act Accessibility Standards Canada · S.C. 2019, c. 10 | n/a | — | Federally regulated entities in Canada — federal departments, banks, telecoms, broadcasters, interprovincial transport. |
| Référentiel Général d'Amélioration de l'Accessibilité DINUM (Direction interministérielle du numérique) · 4.1.2 | n/a | — | French public sector and large private organizations (>€250M revenue or operating digital services to the public in France). |
| Barrierefreie-Informationstechnik-Verordnung 2.0 Bundesministerium für Arbeit und Soziales · 2019 amendment | n/a | — | German federal public-sector websites, mobile apps, intranets, and extranets. |
| JIS X 8341-3:2016 Japanese Industrial Standards Committee · 2016 | n/a | — | Japan — required for national and local government public-facing websites; recommended for the private sector. |
| Korean Web Content Accessibility Guidelines 2.2 Ministry of Science and ICT (South Korea) · 2.2 | n/a | — | All public and private organizations operating websites accessible from South Korea. |
| Israeli Standard 5568 Standards Institution of Israel · 2013 | n/a | — | All public agencies and any business serving Israeli consumers via a website. |
| 21st Century Communications and Video Accessibility Act Federal Communications Commission · Pub. L. 111–260 (2010) | n/a | — | U.S.-facing services that distribute video previously aired on TV, or that provide advanced communications services (VoIP, video calls, messaging). |
| Public Sector Bodies Accessibility Regulations 2018 Government Digital Service · SI 2018/952 | n/a | — | UK public-sector bodies — government departments, local councils, NHS trusts, universities, and most public-funded organizations. |
| UK Equality Act 2010 (digital provisions) Equality and Human Rights Commission · 2010 c. 15 | n/a | — | Any organization providing services to the UK public — including online services, e-commerce, and SaaS. |
| WAI-ARIA Authoring Practices Guide W3C Web Accessibility Initiative · Editor's Draft | n/a | — | Reference standard for any team building custom interactive components or design-system primitives. |
Email health
| Standard | Verdict | Factors | Note |
|---|---|---|---|
| DMARC IETF · RFC 7489 | n/a | — | Every domain that sends email — and every domain that doesn't (to prevent spoofing). |
| SPF IETF · RFC 7208 | n/a | — | Every domain that sends email. |
| DKIM IETF · RFC 6376 | n/a | — | Every domain that sends email. |
| BIMI AuthIndicators Working Group · Working draft | n/a | — | Optional but high-leverage for email-driven businesses. |
| MTA-STS IETF · RFC 8461 | n/a | — | Domains receiving email at scale, especially those handling sensitive correspondence. |
| SMTP TLS Reporting (TLS-RPT) IETF · RFC 8460 | n/a | — | Every domain that publishes an MTA-STS or DANE policy. |
| Authenticated Received Chain (ARC) IETF · RFC 8617 | n/a | — | Domains operating mailing lists, forwarders, or security gateways — and anyone whose users heavily forward mail. |
| DMARC Failure Reports (RUF) IETF · RFC 7489 §7.3 | n/a | — | Senders investigating active spoofing campaigns or running mature email-security operations. |
| DKIM key rotation IETF / M3AAWG · RFC 6376 + M3AAWG BCP | n/a | — | Every domain that signs outbound mail with DKIM. |
| SPF 10-DNS-lookup limit IETF · RFC 7208 §4.6.4 | n/a | — | Any domain whose SPF record uses three or more `include:` terms. |
| Bulk-sender requirements (Apple / Google / Yahoo) Google / Yahoo / Apple · Effective Feb 2024 | n/a | — | Anyone sending more than 5,000 messages/day to Gmail or Yahoo addresses — most marketing senders. |
| Mailbox provider feedback loops (FBL) Yahoo / Microsoft / Google · Per-provider | n/a | — | Any sender pushing meaningful volume to Yahoo, Microsoft, or Google inboxes. |
Standards are evaluated against the current scan. See the standards library for the canonical reference, or back to the dossier.