Every check Vettd runs.
82 on the live site, 34 in the codebase.

Site must be served over HTTPS — browsers mark HTTP sites as "Not Secure"

Strict-Transport-Security tells browsers to always use HTTPS, preventing downgrade attacks

CSP prevents XSS attacks by controlling which scripts, styles, and resources can load

Prevents browsers from MIME-sniffing responses, which can lead to XSS via uploaded files

Prevents your site from being embedded in iframes on malicious sites (clickjacking)

HTTPS pages must not load any resources over plain HTTP

No API keys, tokens, or credentials visible in page source — attackers actively scan for these

Form submissions should use HTTPS to protect user data in transit

Server and framework versions in headers tell attackers exactly what exploits to use

Maps all API endpoints called from your frontend — exposed endpoints are attack surface

Source map files (.js.map) let anyone read your original unminified source code

Admin, debug, and API documentation pages should not be publicly accessible

Access-Control-Allow-Origin: * lets ANY website make requests to your APIs

References to localhost or internal IPs in production code indicate dev leftovers

Controls how much URL info leaks to third-party sites when users click external links

Controls which browser features (camera, mic, geolocation) third-party scripts can access

Cookies should have Secure, HttpOnly, and SameSite flags to prevent theft and CSRF

Framework env variables in frontend code reveal your tech stack and internal config to attackers

Every page needs a unique, descriptive title between 30-60 characters

The meta description appears in search results — it's your pitch to get clicks

OpenGraph tags control how your link looks when shared on social media, Slack, Discord

Twitter Card tags control how your link appears when shared on X/Twitter

Each page should have exactly one H1 — it tells search engines what the page is about

Alt text helps search engines understand images and is required for screen readers

robots.txt tells search engines what to crawl — missing or misconfigured = SEO problems

A sitemap tells search engines about all your pages — critical for indexing

JSON-LD structured data helps search engines understand your content and show rich results

Canonical URL prevents duplicate content issues when the same page is accessible at multiple URLs

Check that the page isn't accidentally blocking search engines from indexing it

Pages with very little text content are unlikely to rank in search results

Duplicate title or description tags confuse search engines — common when AI adds tags the framework already generates

Headings should follow a logical hierarchy (H1 → H2 → H3) without skipping levels — critical for accessibility and SEO

Time for the server to return HTML — slow servers hurt user experience and SEO

Oversized HTML slows down initial render — common with server-rendered apps that inline too much

Images should use modern formats (webp/avif) and have appropriate sizes

Gzip or Brotli compression reduces transfer size by 60-80%

Without a viewport tag, your site renders at desktop width on mobile and gets zoomed out

Every external script is a performance cost and a trust decision — audit what you load

Scripts and stylesheets in <head> block page rendering until they load

Custom fonts can cause invisible text (FOIT) if not loaded with font-display: swap

preconnect and preload hints tell the browser to start loading critical resources early

Required by GDPR, CCPA, and every app store. Must cover what data you collect and why.

Terms define how users can use your service and protect you legally

GDPR requires consent before setting non-essential cookies — fines up to €20M for violations

Every third-party tracker on your site should be disclosed in your privacy policy

Forms that collect personal data (email, phone, name) need privacy disclosure

A clear call-to-action button or link should appear in the hero/header area of the page

CTA buttons should be visually prominent with strong contrast against their background

The main H1 headline should clearly communicate what your product or service does

Supporting text below the headline should explain the benefit or describe the product

Trust signals like testimonials, review counts, client logos, or "trusted by X companies" text

Each form should have 5 or fewer visible fields — more fields = more friction = fewer conversions

Buttons should say what happens when you click them, not just "Submit" or "Click here"

Without error tracking, users hit bugs and you never know — Sentry, LogRocket, or similar

Without traffic analytics you have no idea who visits your site, where they come from, or what they do — error tracking alone is not enough

Favicon appears in browser tabs, bookmarks, and search results — default framework icons look unprofessional

When users hit a broken link, a custom 404 page keeps them on your site instead of showing a generic error

Your og:image should actually load — broken preview images make shared links look bad

No links pointing to #, empty href, or javascript:void(0)

Social media links should point to actual profiles, not # or empty

Internal links should not return 404 errors

Anchor links (#section) should point to existing element IDs

All images should load successfully

No lorem ipsum, "Your Company", or other placeholder text

No images from placeholder services (placeholder.com, picsum, etc.)

No placeholder emails, phone numbers, or addresses

No TODO or FIXME comments visible in page source

No console.log() statements in production code — checks inline scripts and JS bundles

Page title, description, and favicon should not be framework defaults

Copyright year should match the current year

Sections with class names suggesting content but no actual text — skeleton left by AI

Crawls your top internal pages and checks if they have real content or are stubs

The <html> tag must have a lang attribute — screen readers and search engines need it to process your content correctly

Using <main>, <nav>, <footer>, <article> instead of just <div> helps search engines and screen readers understand your page

SPAs that show nothing without JavaScript are invisible to some crawlers and users with JS disabled

Form inputs need <label> elements, not just placeholder text — required for accessibility and better UX

llms.txt is an emerging standard (llmstxt.org) that points AI agents at your canonical docs/source bundle without making them crawl your whole site.

For AI engines like ChatGPT, Claude, and Perplexity to cite your site in their answers, their crawlers need to be allowed in robots.txt. Default-allow is fine; explicit Disallow blocks them entirely.

AI engines lean on Schema.org types like Article, Product, Organization, FAQPage to extract clean facts. A site without these gets paraphrased less accurately and cited less often.

FAQPage schema is the single most-cited format in AI answers — questions you ask + answers you give get pulled directly into ChatGPT/Perplexity responses.

AI engines weight content from named authors and recognised organisations more heavily. Adding Person or Organization schema with sameAs links to social profiles boosts citation trust.

Most AI crawlers (GPTBot, ClaudeBot, etc.) do NOT execute JavaScript. If your headlines, body copy, or core content only appear after hydration, AI engines see an empty page and can't cite you.