We don't publish
your competitive advantage.

IFSite missing Permissions-Policy header

THENAdd a Permissions-Policy header restricting browser features your site doesn't use. Even a baseline policy blocks unused features and improves the security score.

IFSite missing Referrer-Policy header

THENAdd a Referrer-Policy header to control how much referrer info leaks to other origins. strict-origin-when-cross-origin is the modern default.

IFSite missing X-Content-Type-Options header

THENAdd X-Content-Type-Options: nosniff to prevent MIME-type sniffing attacks. Single-line, no downside.

IFSite missing X-Frame-Options header

THENAdd X-Frame-Options: DENY (or SAMEORIGIN if you embed yourself) to prevent clickjacking. Modern alternative is the frame-ancestors CSP directive — set both for defense in depth.

IFSite missing HSTS (Strict-Transport-Security) header

THENAdd HSTS to force HTTPS on subsequent visits. Start with a short max-age, increase to 1 year once stable. Required for hsts-preload submission.

IFSite missing Content-Security-Policy header

THENAdd a Content-Security-Policy header to block XSS and data exfiltration. Start in report-only mode to find violations before enforcing.

IFSite missing COOP / COEP / CORP cross-origin isolation headers

THENAdd Cross-Origin-Opener-Policy + Cross-Origin-Embedder-Policy + Cross-Origin-Resource-Policy to enable cross-origin isolation. Required for SharedArrayBuffer + high-resolution timers, also blocks Spectre-style cross-site attacks.

IFMixed content detected (HTTP resources on HTTPS page)

THENFind every HTTP <script>, <img>, <link>, <iframe> reference and switch to https:// (or protocol-relative //). Modern browsers block active mixed content silently — passive mixed content (images) downgrades the lock icon and breaks SEO trust.

IFNo skip-to-content link

THENAdd a visually-hidden skip link as the first focusable element in <body>. Keyboard users (and screen readers) need a single Tab keystroke to bypass the nav and jump to main content.

IFNo <main> landmark

THENWrap your primary content in <main> (or set role="main" on the wrapper). Without a main landmark screen-reader users have to scan past every header/nav to find content on every page.

IFNo <nav> landmark

THENWrap your primary navigation links in <nav aria-label="…">. The aria-label is required when you have more than one <nav> on the page (e.g. main nav + footer nav).

IFSite has no JSON-LD structured data

THENAdd JSON-LD structured data to homepage. Minimum: Organization + WebSite. Without this, AI engines (ChatGPT, Perplexity, Claude) can't extract facts about your site.