Sample report. An illustrative example - run a free audit of your own site to get a real one.
Audit your site →Website intelligence report
northwind-coffee.com
68/100 · Grade DAudited 8 of 10 pages (2 unreachable)
Heads up: some tracking signals weren't detected. This site runs Google Tag Manager, which often injects GA4, Consent Mode and cookie banners at runtime, so a static crawl can't see them - your real Tracking score may be higher. Verify in your tag manager or Google Tag Assistant.
Executive summary
Northwind Coffee scores 68/100 (grade D) - a solid technical base with a few high-leverage wins in discoverability and tracking.
- Strongest: Tech (80). HTTPS, a mobile viewport and fast responses are all in place.
- Biggest opportunity: Tracking (55). The site loads analytics but has no consent banner and sets no Consent Mode defaults - both a compliance risk and a data-quality problem.
- Quick wins: add Open Graph tags (shared links look broken without them) and an HSTS header - low effort, high impact.
Start with the two high-severity items in the action plan; they move the score furthest for the least work.
Findings & action plan
Sorted by impact vs. effort - the top of the list is where to start. Click any item for why it matters and how to fix it. A "needs approval" tag means the fix touches consent or tracking, so it usually needs sign-off (legal or marketing) before you ship it.
- Add Open Graph tags so shared links show a title, description and imagehighimpact 4/5effort 2/5quick win8 pages affectedWhy & how to fix →
Why it matters. Open Graph tags control how your links look when shared on social and messaging apps. Without them, links render as bare, unappealing URLs.
How to fix. Add og:title, og:description and og:image to your <head>.
<meta property="og:title" content="..."> <meta property="og:image" content="https://.../card.png">Where we checked. Across all 8 crawled pages.
Problem on:
/missing og:title and og:image/menumissing og:title and og:image/aboutmissing og:title and og:image/locationsmissing og:title and og:image/wholesalemissing og:title and og:image/blog/cold-brew-guidemissing og:title and og:image/contactmissing og:title and og:image/careersmissing og:title and og:image
- Add a consent banner (CMP) so analytics and ad tags load only after consenthighimpact 5/5effort 3/5needs approvalWhy & how to fix →
Why it matters. If you set non-essential cookies (analytics, ads) before consent, you likely breach GDPR/ePrivacy and risk fines.
How to fix. Add a consent banner (Cookiebot, Usercentrics, iubenda, etc.) that blocks tags until the visitor consents. Note: a GTM-injected banner is not visible to this crawl.
Where we checked. Tag/script detection across all 8 crawled pages plus the GTM container.
- Add an HSTS header (Strict-Transport-Security) to enforce HTTPSmediumimpact 3/5effort 1/5quick winWhy & how to fix →
Why it matters. HSTS forces browsers to always use HTTPS for your site, closing a window where a visitor's first request could be downgraded to insecure HTTP and intercepted.
How to fix. Send a Strict-Transport-Security response header from your server or CDN (start with a short max-age, then raise it once you are confident).
Strict-Transport-Security: max-age=31536000; includeSubDomainsWhere we checked. The root URL's response headers.
- Set Consent Mode defaults before the tag loader runsmediumimpact 4/5effort 3/5needs approvalWhy & how to fix →
Why it matters. Google Consent Mode only protects EEA/UK visitors if the consent 'default' (deny) runs BEFORE your tags load. If the loader runs first, tags can fire before consent is applied - a GDPR/ePrivacy exposure.
How to fix. Set gtag('consent','default',{...denied}) in the <head> BEFORE the gtag.js / GTM loader script.
<script>gtag('consent','default',{ad_storage:'denied'})</script> ... then <script src=".../gtm.js">Where we checked. Tag/script detection across all 8 crawled pages plus the GTM container.
- Add a Content-Security-Policy to reduce cross-site-scripting riskmediumimpact 3/5effort 3/5Why & how to fix →
Why it matters. A Content-Security-Policy is the strongest defence against cross-site scripting (XSS) and content injection - it tells the browser which sources of script, style and media to trust.
How to fix. Add a Content-Security-Policy header. Start in report-only mode to find what your pages load, then enforce a tightened policy.
Content-Security-Policy: default-src 'self'; script-src 'self'Where we checked. The root URL's response headers.
- Cite authoritative sources so AI engines trust and quote your pagesmediumimpact 3/5effort 3/58 pages affectedWhy & how to fix →
Why it matters. Citing authoritative external sources is the single largest measured boost to AI citation likelihood (Princeton GEO study). It signals trustworthy, evidence-backed content.
How to fix. Link out to authoritative primary sources (.gov/.edu, standards bodies, Wikipedia/Wikidata, DOIs) where you make factual claims.
Where we checked. Across all 8 crawled pages.
Problem on:
/missing outbound citation to an authoritative source/menumissing outbound citation to an authoritative source/aboutmissing outbound citation to an authoritative source/locationsmissing outbound citation to an authoritative source/wholesalemissing outbound citation to an authoritative source/blog/cold-brew-guidemissing outbound citation to an authoritative source/contactmissing outbound citation to an authoritative source/careersmissing outbound citation to an authoritative source
- Add concrete stats and figures so answers are quotable by AI engineslowimpact 3/5effort 2/54 pages affectedWhy & how to fix →
Why it matters. AI answer-engines preferentially cite content backed by concrete statistics and references.
How to fix. Add specific numbers, data points and links to authoritative sources in your key content.
Where we checked. Across all 8 crawled pages.
Problem on:
/1 of concrete statistics (%, currency, ratios) (expected 3)/menu0 of concrete statistics (%, currency, ratios) (expected 3)/locations2 of concrete statistics (%, currency, ratios) (expected 3)/contact0 of concrete statistics (%, currency, ratios) (expected 3)
- Open each section with a direct, one-sentence answerlowimpact 3/5effort 2/5Why & how to fix →
Why it matters. AI answer-engines lift self-contained answers from individual sections. Sections that open with a tight, direct answer (not 'It is...' or 'In this section...') are far more likely to be quoted.
How to fix. Start each H2 section with a 1-2 sentence direct answer to that section's question, before the detail. Avoid opening with a pronoun or filler word.
## How much does Acme cost?\nAcme starts at $49/month for 5 seats, with a free 14-day trial...Where we checked. Across all 8 crawled pages.
What we checked
Every criterion Site IQ runs, and how this site did. Deterministic rules - the score is computed from these.
SEO74/100
Title tag present and well-sizedWhy & how to fix
What we check. Whether each sampled page has a <title> tag between 15 and 60 characters long.
Passed on every sampled page.
Where we checked. Across all 8 crawled pages.
Why it matters. Your title is the clickable headline in Google and the browser tab. Too long and Google truncates it; too short and you waste a ranking and click opportunity.
How to fix. Give each page a unique 15-60 character title, with the main keyword first and the brand at the end.
<title>Real-time Analytics for Teams | Acme</title>Indexable (no noindex)Why & how to fix
What we check. Whether any sampled page has a noindex directive in its robots meta tag.
Passed on every sampled page.
Where we checked. Across all 8 crawled pages.
Why it matters. A 'noindex' tag tells Google to drop the page from search entirely. On an important page this silently kills all its traffic.
How to fix. Remove the noindex robots meta from any page you want found in search.
Delete: <meta name="robots" content="noindex">Meta description (70-160 chars)Why & how to fix
What we check. Whether each sampled page has a meta description tag between 70 and 160 characters.
Passed on every sampled page.
Where we checked. Across all 8 crawled pages.
Why it matters. The meta description is the grey snippet under your title in search results. It does not rank you, but a compelling one wins more clicks.
How to fix. Write a 70-160 character summary with a clear benefit and a reason to click.
<meta name="description" content="Acme helps teams track metrics in real time and ship faster.">Open Graph tagsWhy & how to fix
What we check. Whether each page has og:title and og:image Open Graph meta tags.
Did not pass on the pages we sampled.
Where we checked. Across all 8 crawled pages.
Problem on:
/missing og:title and og:image/menumissing og:title and og:image/aboutmissing og:title and og:image/locationsmissing og:title and og:image/wholesalemissing og:title and og:image/blog/cold-brew-guidemissing og:title and og:image/contactmissing og:title and og:image/careersmissing og:title and og:image
Why it matters. Open Graph tags control how your links look when shared on social and messaging apps. Without them, links render as bare, unappealing URLs.
How to fix. Add og:title, og:description and og:image to your <head>.
<meta property="og:title" content="..."> <meta property="og:image" content="https://.../card.png">Sampled pages return OKWhy & how to fix
What we check. Whether sampled pages return a successful HTTP status and do not look like soft-404 error pages.
Passed on every sampled page.
Where we checked. Across all 8 crawled pages.
Why it matters. Pages that return 4xx/5xx errors waste crawl budget, break user journeys, and bleed link equity. A crawler reaching a broken URL is a real problem to fix.
How to fix. Fix or redirect (301) broken URLs, and update the internal links that point to them.
Valid hreflangWhy N/A
Why this is N/A. No hreflang tags were found on any sampled page - this site appears to be single-language, so hreflang does not apply and you are not penalised.
What we check. Whether pages with hreflang attributes use valid ISO language/region codes and include a self-referencing tag.
Tracking55/100
Analytics presentWhy & how to fix
What we check. Whether GA4, Plausible, Fathom, Matomo or another analytics tag is present in the page source or rendered HTML.
Passed on every sampled page.
Where we checked. Tag/script detection across all 8 crawled pages plus the GTM container.
Why it matters. Without analytics you are flying blind: you cannot see traffic, conversions, or what is working.
How to fix. Install GA4 (or a privacy-friendly tool like Plausible), directly or via Tag Manager. Note: tags loaded through GTM are not visible to this crawl, so verify in Google Tag Assistant.
gtag/js?id=G-XXXXXXXXXXGoogle Tag ManagerWhy & how to fix
What we check. Whether a Google Tag Manager container (googletagmanager.com/gtm.js or a GTM-... id) is present in the page source.
Passed on every sampled page.
Where we checked. Tag/script detection across all 8 crawled pages plus the GTM container.
Why it matters. Google Tag Manager lets you manage analytics and marketing tags without code changes. It is the standard, clean way to deploy tracking.
How to fix. Optional, but recommended if you run several tags: install the GTM container and move your tags into it.
Consent / CMP bannerWhy & how to fix
What we check. Whether a known CMP / cookie-consent library (Cookiebot, OneTrust, CookieYes, iubenda, Didomi, etc.) is present in the page source or rendered HTML.
Did not pass on the pages we sampled.
Where we checked. Tag/script detection across all 8 crawled pages plus the GTM container.
Why it matters. If you set non-essential cookies (analytics, ads) before consent, you likely breach GDPR/ePrivacy and risk fines.
How to fix. Add a consent banner (Cookiebot, Usercentrics, iubenda, etc.) that blocks tags until the visitor consents. Note: a GTM-injected banner is not visible to this crawl.
Consent default before tags loadWhy & how to fix
What we check. When both a gtag consent default call and a tag loader are inline in the HTML, whether the consent default appears before the loader.
Did not pass on the pages we sampled.
Where we checked. Tag/script detection across all 8 crawled pages plus the GTM container.
Why it matters. Google Consent Mode only protects EEA/UK visitors if the consent 'default' (deny) runs BEFORE your tags load. If the loader runs first, tags can fire before consent is applied - a GDPR/ePrivacy exposure.
How to fix. Set gtag('consent','default',{...denied}) in the <head> BEFORE the gtag.js / GTM loader script.
<script>gtag('consent','default',{ad_storage:'denied'})</script> ... then <script src=".../gtm.js">
AI-Readiness61/100
Server-side rendered contentWhy & how to fix
What we check. Whether the no-JavaScript initial HTML (a plain HTTP GET, no browser rendering) already contains most of the text visible after JavaScript runs.
Passed on every sampled page.
Where we checked. The no-JS initial HTML of the home page vs. the rendered page.
Why it matters. AI answer-engines (ChatGPT, Perplexity) and many crawlers do not run JavaScript. Content that only appears after JS renders is invisible to them.
How to fix. Server-side render or pre-render your key content so it is present in the initial HTML response.
Concrete stats and figuresWhy & how to fix
What we check. Whether each page's text contains at least 3 statistics, percentages, currency amounts, or numeric ratios.
Partial - passed on ~50% of the pages we sampled.
Where we checked. Across all 8 crawled pages.
Problem on:
/1 of concrete statistics (%, currency, ratios) (expected 3)/menu0 of concrete statistics (%, currency, ratios) (expected 3)/locations2 of concrete statistics (%, currency, ratios) (expected 3)/contact0 of concrete statistics (%, currency, ratios) (expected 3)
Why it matters. AI answer-engines preferentially cite content backed by concrete statistics and references.
How to fix. Add specific numbers, data points and links to authoritative sources in your key content.
Authoritative citationsWhy & how to fix
What we check. Whether each page links out to at least one authoritative external source (.gov/.edu, Wikipedia, DOI, WHO, Reuters, etc.).
Did not pass on the pages we sampled.
Where we checked. Across all 8 crawled pages.
Problem on:
/missing outbound citation to an authoritative source/menumissing outbound citation to an authoritative source/aboutmissing outbound citation to an authoritative source/locationsmissing outbound citation to an authoritative source/wholesalemissing outbound citation to an authoritative source/blog/cold-brew-guidemissing outbound citation to an authoritative source/contactmissing outbound citation to an authoritative source/careersmissing outbound citation to an authoritative source
Why it matters. Citing authoritative external sources is the single largest measured boost to AI citation likelihood (Princeton GEO study). It signals trustworthy, evidence-backed content.
How to fix. Link out to authoritative primary sources (.gov/.edu, standards bodies, Wikipedia/Wikidata, DOIs) where you make factual claims.
Sections open with a direct answerWhy & how to fix
What we check. The fraction of H2 sections (across all pages) that open with a direct-answer sentence of 30-130 words before any sub-heading or list.
Partial - passed on ~50% of the pages we sampled.
Where we checked. Across all 8 crawled pages.
Why it matters. AI answer-engines lift self-contained answers from individual sections. Sections that open with a tight, direct answer (not 'It is...' or 'In this section...') are far more likely to be quoted.
How to fix. Start each H2 section with a 1-2 sentence direct answer to that section's question, before the detail. Avoid opening with a pronoun or filler word.
## How much does Acme cost?\nAcme starts at $49/month for 5 seats, with a free 14-day trial...
Tech80/100
Served over HTTPSWhy & how to fix
What we check. Whether every sampled page URL starts with https://.
Passed on every sampled page.
Where we checked. Across all 8 crawled pages.
Why it matters. HTTPS encrypts traffic and is a baseline trust and ranking signal. Browsers flag non-HTTPS sites as 'Not secure'.
How to fix. Install a TLS certificate (free via Let's Encrypt or your host) and redirect all HTTP traffic to HTTPS.
Mobile viewportWhy & how to fix
What we check. Whether each page has a <meta name="viewport"> tag.
Passed on every sampled page.
Where we checked. Across all 8 crawled pages.
Why it matters. Without a mobile viewport tag, your site renders zoomed-out and broken on phones, and Google indexes mobile-first.
How to fix. Add the viewport meta to every page's <head>.
<meta name="viewport" content="width=device-width, initial-scale=1">Fast initial responseWhy & how to fix
What we check. The fraction of <img> elements that declare both width and height attributes (or an aspect-ratio style) to prevent layout shift.
Passed on every sampled page.
Where we checked. Across all 8 crawled pages.
Why it matters. Slow pages (images without dimensions, no lazy-loading, render-blocking scripts) hurt Core Web Vitals, rankings and conversions.
How to fix. Add width/height to images, lazy-load below-the-fold media, and defer non-critical scripts. (This is a static proxy; for real field data use PageSpeed Insights.)
<img src="..." width="800" height="600" loading="lazy">HSTS headerWhy & how to fix
What we check. Whether the root URL's HTTP response includes a Strict-Transport-Security header with max-age >= 1 year.
Did not pass on the pages we sampled.
Where we checked. The root URL's response headers.
Why it matters. HSTS forces browsers to always use HTTPS for your site, closing a window where a visitor's first request could be downgraded to insecure HTTP and intercepted.
How to fix. Send a Strict-Transport-Security response header from your server or CDN (start with a short max-age, then raise it once you are confident).
Strict-Transport-Security: max-age=31536000; includeSubDomainsContent-Security-PolicyWhy & how to fix
What we check. Whether the root URL's HTTP response includes a Content-Security-Policy header (and whether it avoids unsafe-inline/unsafe-eval).
Did not pass on the pages we sampled.
Where we checked. The root URL's response headers.
Why it matters. A Content-Security-Policy is the strongest defence against cross-site scripting (XSS) and content injection - it tells the browser which sources of script, style and media to trust.
How to fix. Add a Content-Security-Policy header. Start in report-only mode to find what your pages load, then enforce a tightened policy.
Content-Security-Policy: default-src 'self'; script-src 'self'
AI chat is included with every report
Every report includes an AI chat grounded in the site's crawled pages - ask why a score is low, what to fix first, or how to action a finding. Sign up to chat with your own audits.
Create a free account