Audit Reference

All audit checks — explained

Every one of the 116 checks Pantra runs on your site, with what it measures, why it matters, and how to fix it. Works for Lovable, Cursor, Bolt, v0, Replit, Windsurf, Claude Code, and Base44.

Run the audit on your site How it works →

SEO

21 checks

Meta Title

Checks that every page has a unique, keyword-rich <title> tag between 10-60 characters.

Meta Description

Checks that every page has a unique meta description between 50-160 characters.

H1 Tag

Checks that every page has exactly one H1 tag containing the primary keyword.

Heading Hierarchy

Checks heading order — H1 → H2 → H3 without skipping levels.

Canonical Tag

Checks that the canonical URL is set correctly and points to the preferred version.

Meta Robots

Checks for unintentional noindex or nofollow meta-robots directives.

Open Graph Tags

Checks for og:title, og:description, og:image, and og:url in the <head>.

Twitter Cards

Checks for twitter:card, twitter:title, twitter:description, and twitter:image tags.

Hreflang Tags

Checks hreflang tags on multilingual sites for correctness and reciprocity.

Sitemap.xml

Checks that sitemap.xml exists at the root, is valid XML, and lists indexable URLs.

robots.txt

Checks robots.txt for correct syntax and that it allows search and AI crawlers.

Sitemap Lastmod

Checks that sitemap URLs include a <lastmod> timestamp reflecting real content changes.

No Noindex URLs in Sitemap

Checks that sitemap URLs are not marked noindex.

No Redirects in Sitemap

Checks that sitemap URLs return 200 directly, not via 301 or 302 redirects.

Page Word Count

Checks content density per page — thin pages (under 300 words) rank poorly.

Internal Linking

Checks internal link count and distribution — too few hurts crawl, too many dilutes link equity.

External Citations

Checks for outbound links to authoritative sources — signals content quality and helps AI citations.

Question Headings

Checks for question-style H2/H3 headings — improves AI citations and featured snippet eligibility.

Duplicate Content

Checks for signs of duplicated content across URLs — a silent killer of ranking.

Image Alt Text

Checks that every content image has meaningful alt text.

Core Web Vitals

SEO-angle on Core Web Vitals — LCP, CLS, INP are ranking signals on mobile.

Security

28 checks

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

HSTS Header

Checks for Strict-Transport-Security header — blocks HTTPS downgrade attacks.

Content-Security-Policy

Checks for CSP header that restricts script sources — major XSS defense.

X-Content-Type-Options

Checks for X-Content-Type-Options: nosniff — prevents MIME sniffing attacks.

X-Frame-Options

Checks for X-Frame-Options — prevents clickjacking by blocking iframe embedding.

Referrer-Policy

Checks Referrer-Policy header — controls how much referrer info leaks to other sites.

Permissions-Policy

Checks for Permissions-Policy header — restricts browser feature access (camera, mic, etc.).

Server Header Hidden

Checks that the Server response header does not leak version info.

Exposed API Keys

Checks the client JS bundle for exposed secrets (Stripe, OpenAI, Supabase service keys, etc.).

Supabase Row Level Security

Checks that Supabase tables have Row Level Security (RLS) enabled with policies.

SPF Record

Checks DNS for an SPF record — prevents others from sending email as your domain.

DMARC Record

Checks DNS for a DMARC record — tells receivers what to do with spoofed mail.

CAA Record

Checks DNS for a CAA record — restricts which CAs can issue certs for your domain.

Cookie Security Flags

Checks that session and auth cookies set Secure, HttpOnly, and SameSite flags.

Subresource Integrity

Checks that third-party scripts use SRI hashes to prevent tampering.

Form Security

Checks forms for HTTPS action, CSRF tokens, and autocomplete attributes.

X-Powered-By Hidden

Checks that X-Powered-By response header does not leak framework/tech stack.

Directory Listing

Checks for exposed directory listings at common paths (/.git, /.env, /admin, etc.).

Source Maps

Checks for exposed source maps that reveal original source code.

Inline Scripts

Checks for inline <script> blocks that break strict CSP and invite XSS.

Open Redirects

Checks for URL parameters that redirect to arbitrary external domains — phishing helper.

Iframe Sandboxing

Checks embedded iframes for sandbox attribute restricting capabilities.

Deprecated/Insecure APIs

Checks for use of deprecated or known-insecure JavaScript APIs (eval, document.write, innerHTML).

External Link Safety

Checks external links with target="_blank" for rel="noopener".

Information Disclosure

Checks for error pages, stack traces, and debug output leaking internal info.

AI Search (GEO)

5 checks

AI Crawlers Allowed

Checks that GPTBot, ClaudeBot, PerplexityBot, and Google-Extended are not blocked in robots.txt.

JSON-LD Structured Data

Checks for JSON-LD structured data in the page <head> — essential for rich results and AI citations.

Server-Side Rendering

Checks that main content renders in the initial HTML response, not only after JavaScript executes.

llms.txt File

Checks for a /llms.txt file — an AI-specific guide to your site content.

Static Content Density

Checks how much meaningful text ships in the initial HTML without JS execution.

Technical

28 checks

SSR / Pre-rendering

Checks if the page is server-rendered or statically pre-rendered.

HTTP Status Codes

Checks that pages return proper status codes — 200 for live, 404 for missing, 301 for moved.

No Client-Side Redirects

Checks that redirects happen server-side, not via JavaScript.

Viewport Meta Tag

Checks for <meta name="viewport" content="width=device-width, initial-scale=1">.

HTML lang Attribute

Checks that <html> has a lang attribute matching the page language.

UTF-8 Charset

Checks for <meta charset="utf-8"> at the top of <head>.

No Redirect Chains

Checks that redirects go directly to the final URL — no A→B→C chains.

WWW Consistency

Checks that only one of www or apex is canonical, with the other redirecting.

Trailing Slash Consistency

Checks that URLs consistently use or omit the trailing slash.

Broken Internal Links

Checks for internal links pointing to 404 or 500 responses.

Custom 404 Page

Checks that the 404 page is branded with helpful navigation and search.

Canonical URL Match

Checks that the canonical URL matches the current page URL (or an intentional alternate).

Response Compression

Checks that HTML/CSS/JS responses are served with gzip or brotli compression.

Preconnect Hints

Checks for <link rel="preconnect"> to critical third-party origins.

Resource Hints

Checks for dns-prefetch, preload, and prefetch hints for performance.

Favicon

Checks for a valid favicon at the site root and in <link rel="icon">.

HTML Doctype

Checks for <!DOCTYPE html> at the start of the document.

Server Response Time (TTFB)

Checks Time To First Byte — how fast your server responds.

HTML Document Size

Checks that the initial HTML payload is under 1MB.

Inline CSS

Checks for inline <style> blocks and style attributes — affects CSP and caching.

Inline JavaScript

Checks for inline <script> blocks — affects CSP and caching.

X-Robots-Tag Header

Checks X-Robots-Tag HTTP header for unintentional noindex directives.

HTTPS Protocol Links

Checks that internal links use https:// consistently.

Text-to-HTML Ratio

Checks the ratio of body text to HTML markup — thin/code-heavy pages flagged.

Deprecated HTML Elements

Checks for deprecated HTML tags like <center>, <font>, <marquee>.

Iframe Usage

Checks iframe count and usage — too many hurts performance.

Image Lazy Loading

Checks that below-the-fold images use loading="lazy" while above-the-fold do not.

Render-Blocking Resources

Checks for CSS/JS in the <head> that blocks first paint.

Structured Data

12 checks

Valid JSON-LD Syntax

Checks that all JSON-LD blocks parse as valid JSON and reference schema.org.

Organization Schema

Checks for Organization JSON-LD on the homepage — entity signal + knowledge panel.

WebSite Schema

Checks for WebSite JSON-LD with SearchAction — enables sitelinks search box.

BreadcrumbList Schema

Checks for BreadcrumbList JSON-LD on sub-pages — replaces ugly URLs in SERP with clean breadcrumbs.

FAQPage Schema

Checks for FAQPage schema on pages with visible FAQs — rich results + AI citation boost.

WebApplication Schema

Checks for WebApplication JSON-LD on SaaS app pages.

Person Schema

Checks for Person schema on author/team/about pages.

Article Schema

Checks for Article JSON-LD on blog posts and news pages.

DefinedTerm Schema

Checks for DefinedTerm schema on glossary pages.

VideoObject Schema

Checks VideoObject schema on video-embedded pages.

Product Schema

Checks Product schema on ecommerce product pages.

No Deprecated Schema Properties

Checks for deprecated schema.org properties that may be removed in future.

Performance

12 checks

LCP (Largest Contentful Paint)

Checks Largest Contentful Paint — how fast the main content appears. Target under 2.5s.

CLS (Cumulative Layout Shift)

Checks Cumulative Layout Shift — how much the page jumps during load. Target under 0.1.

INP (Interaction to Next Paint)

Checks Interaction to Next Paint — responsiveness to clicks/taps. Target under 200ms.

FCP (First Contentful Paint)

Checks First Contentful Paint — when the first text or image appears. Target under 1.8s.

TTFB (Time to First Byte)

Checks Time To First Byte — server response time. Target under 600ms.

Text Compression

Checks that text assets (HTML, CSS, JS) are served with gzip or brotli.

Modern Image Formats

Checks images are served as WebP or AVIF — 30-50% smaller than JPEG/PNG.

Image Dimensions Set

Checks that images have width/height attributes to prevent CLS.

Below-Fold Lazy Loading

Checks below-the-fold images and iframes use loading="lazy".

JavaScript Payload Size

Checks total JavaScript downloaded — target under 300KB compressed.

Third-Party Scripts

Checks the count and impact of third-party scripts (analytics, chat, ads).

Deferred Scripts

Checks that non-critical scripts use async or defer attributes.

Images

10 checks

All Images Have Alt

Checks that every <img> has an alt attribute (empty or descriptive).

Descriptive Alt Text

Checks that alt text is meaningful — not "image", "photo", or the filename.

OG Image Present

Checks that every page has a valid og:image for social sharing previews.

OG Image Dimensions

Checks that og:image is ≥ 1200×630 — optimal for all social platforms.

OG Image Self-Hosted

Checks that og:image is hosted on your domain, not a third-party CDN.

Modern Image Formats on Content

Checks content images use WebP or AVIF, not legacy JPEG/PNG for photos.

Image width + height Set

Checks every <img> has explicit width and height attributes.

Image Lazy Loading

Checks images below the fold use loading="lazy" — but LCP image does NOT.

Image Count per Page

Checks total image count per page — more than 30 is a performance warning.

Broken Images

Checks that no <img src> returns 404 or 500.