🔍 Website Audit Report — site-diagnostics.com
Audit Date: April 15, 2026 · Audited by: Claude Agent SDK
🌟 Overall Score: 61 / 100
| Pillar | Score |
|---|---|
| 🔎 SEO | 56 / 100 |
| ⚡ Performance | 70 / 100 |
| 🔒 Security | 74 / 100 |
| ✍️ Content & Links | 38 / 100 |
| 🎨 Design & UX | 62 / 100 |
PART 1 — The Plain-English Summary
No jargon. Just what's happening and why it matters.
👋 What is this site?
Site Diagnostics is a one-page commercial product that lets people run a website audit. You enter a URL, get a free snapshot, and can pay £9.99 for a full PDF report. It's clean, it's fast, and it clearly explains its value. The bones are good. But right now, there are a handful of issues holding it back — some you'd want to fix today, and others that are more about growth.
🚨 The Three Things That Need Fixing Immediately
1. Your social sharing image is broken
Whenever someone shares your site on Twitter/X, LinkedIn, WhatsApp, or Facebook, the site is supposed to show a nice preview card with an image. Yours is supposed to show a file called og-image.png. But that file doesn't exist on the server — it returns a "not found" error.
What this means in practice: every share of your link looks like a blank card with no image. That's a missed first impression, every single time.
The fix: Upload /og-image.png (1200×630px, showing your product name and value prop) to your server.
2. Your www address is completely broken
Try visiting www.site-diagnostics.com in a browser. You'll get an error page — a Cloudflare 525 (SSL Handshake Failure). This happens because your SSL certificate isn't set up correctly for the www version of your domain.
Most people type www. by instinct. Others get forwarded there from old links. Right now, every one of those visitors hits a broken error screen instead of your site.
The fix: Either set up a redirect so www always goes to the non-www version, or add www.site-diagnostics.com properly to your SSL/Cloudflare config. This is a 5-minute fix in Cloudflare.
3. There's almost nothing for Google to read
Your homepage has about 240 words of actual content. That's roughly half a page of an A4 document. Google uses content to understand what a site is about, decide who to show it to, and rank it. Right now, Google sees a tool that says "I do website audits" six times in different ways, with two customer quotes — and nothing else.
There's also no blog, no guides, no FAQ, no how-it-works page. This is the single biggest reason the site won't grow its search traffic on its own. It has no content engine.
The fix: This one takes longer, but it's the highest-leverage investment. Start with a simple blog or resource section. Even 5-10 articles about SEO, performance, and security topics will bring in consistent free traffic from Google.
💛 The Things Worth Improving Soon
Your JavaScript is heavier than it needs to be
The site loads about 779 KB of JavaScript (the code that makes pages interactive). For a site with one form and one button, that's a lot. It's like hiring a full construction crew to hang a picture frame. The good news: it's compressed when it travels to visitors, so real-world impact is moderate — but it does slow down how quickly the page becomes fully usable, especially on older phones.
You have no social proof beyond two quotes
Two testimonials is a start, but it's not enough to build trust with a stranger. There are no case studies, no numbers ("caught X issues across Y sites"), no company logos, no review count that feels meaningful. For a product that asks people to trust it with their websites and pay £9.99, more social proof would meaningfully lift conversions.
There's no Contact page
If something goes wrong with a scan, or a potential customer wants to ask a question before paying, there's nowhere to go. There's an obfuscated email address buried in the footer, but no /contact page. That's a trust gap.
✅ What's Already Working Well
- Security headers are excellent. HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy — all in place. This is genuinely impressive for a new product.
- HTTPS is solid. TLS 1.3, 256-bit encryption, Let's Encrypt certificate covering both the root and wildcard subdomains.
- Cloudflare CDN is active. Pages are served fast from edge servers close to your users. Brotli compression is on.
- Static assets are cached for a year. CSS and JS files load once and are remembered by the browser forever. Very efficient.
- The page title and description are good. They're clear, accurate, and the right length for search results.
- Structured data (Schema.org) is present. You've told Google that this is a SoftwareApplication with a price and reviews. That's a solid foundation.
- Legal pages are in order. Privacy Policy, Terms of Service, UK GDPR compliance, consent-first cookies, Gibraltar registration — all present and well-written.
- Skip navigation link is present. That's an accessibility detail most sites miss.
PART 2 — What This Means for Growth
Still human language, but focused on the bigger strategic picture.
Where this site stands right now
Site Diagnostics is a conversion machine without an audience. The checkout flow works (Stripe), the product proposition is clear (free then paid), the legal side is sorted, and the infrastructure is solid. But the site currently has no way to attract strangers from Google — no content, no keyword footprint, no depth to the topic.
Think of it like a brilliant shop that's never opened its front door to the street.
The biggest growth opportunity: content
The site is about SEO, performance, and security — three topics that people search for constantly and specifically. Searches like "how to fix LCP", "what is a canonical tag", "website security checklist", "why is my site slow" — these get thousands of searches per month, and the people doing those searches are exactly the kind of person who'd want a website audit tool.
Right now, Site Diagnostics appears in none of those searches. A small, consistent content effort — one article per week — would fundamentally change that within 6 months.
The missing middle of the funnel
There's a jump from "I just found this site" to "I'm paying £9.99." There's no:
- How it works page explaining the audit process
- Pricing page with tier comparison
- Sample report to show what you get
- FAQ answering common objections
Adding even two of those would likely move conversion rates meaningfully.
The trust gap for a paid product
£9.99 is a low price, but it's still a transaction. People pay for things when they trust the seller. Right now, the trust signals are: two customer quotes, a company registration, and a Stripe badge. Adding a sample report PDF, a fuller About page, and 10+ reviews in the schema markup would make a real difference.
PART 3 — Technical Findings
🔎 SEO — Score: 56 / 100
✅ What's Working
| Element | Detail |
|---|---|
| Page Title | Site Diagnostics — Website SEO, Security & Performance Audit — 58 chars, on-brand, keyword-rich |
| Meta Description | Free instant site health snapshot. Unlock a detailed 10+ page SEO, performance and security audit from $9.99, delivered by email. — 130 chars, compelling |
| H1 | Free Website Audit — SEO, Security & Performance — one H1, clear, matches intent |
| Canonical Tag | <link rel="canonical" href="https://site-diagnostics.com"/> — correct, self-referencing |
| Robots Meta | content="index, follow" — correct |
| robots.txt | Properly formed: Allow: /, Disallow: /api/, Sitemap: https://site-diagnostics.com/sitemap.xml |
| Sitemap | Present at /sitemap.xml, 3 URLs, correct structure |
| OG Tags | og:title, og:description, og:url, og:image, og:type, og:locale all present |
| Twitter Card | summary_large_image, title and description set |
| Schema.org | SoftwareApplication + Organization + AggregateRating in JSON-LD |
| Language | <html lang="en"> — correct |
| Viewport | width=device-width, initial-scale=1 — correct |
❌ Issues Found
🔴 Critical — OG Image Returns 404
GET https://site-diagnostics.com/og-image.png → HTTP 404
The meta tag <meta property="og:image" content="https://site-diagnostics.com/og-image.png"/> references a file that doesn't exist. Every link preview on social platforms will render without an image. Fix: Upload a 1200×630px PNG at that path.
🔴 Critical — Dangerously thin content (~240 words)
The homepage body contains approximately 240 words of visible text. This is insufficient for topical relevance. Google's Helpful Content guidelines reward depth; a landing page with under 300 words offers no keyword surface area beyond the exact brand queries and the six feature labels.
🟠 High — No content pages (zero blog/articles/guides)
The sitemap contains only 3 URLs: /, /privacy, /terms. There is no blog, no use-case pages, no FAQ page, no how-it-works. The site has zero organic keyword growth vector beyond branded searches.
🟠 High — Heading hierarchy is thin
H1: "Free Website Audit — SEO, Security & Performance"
H2: "What early users are saying"
H2: "Free instant snapshot. Full SEO audit tool from $9.99."
H3: (×6 feature labels)
Only 2 H2s for the entire page. There is no section covering what the tool does in detail, pricing explained, how it works — the lack of content means the heading structure has nothing to scaffold.
🟡 Medium — AggregateRating with only 2 reviews
"aggregateRating": {
"ratingValue": "5",
"reviewCount": "2"
}
Google's guidelines suggest a minimum of ~5 reviews before rich snippet eligibility is considered, and in practice the threshold is higher. A 5-star rating from 2 reviews also looks less credible than 4.7 stars from 47 reviews.
🟡 Medium — Missing schema types
- No
FAQPageschema (missed rich snippet opportunity) - No
WebSiteschema (SiteLinks Searchbox signal missing) - No individual
Reviewobjects withPersonattribution - No
HowToorVideoObjectschema
🟡 Medium — OG description shorter than meta description
og:description: "Free instant site health snapshot. Full website audit from $9.99." (67 chars)
meta description: Full 130-char version not reused in OG — minor inconsistency, both should be the same rich version.
🟡 Medium — No sitemap index; no future scalability plan
The current flat sitemap is fine for 3 pages. A sitemap index (sitemap_index.xml) with separate sitemaps for blog posts, tools, and static pages should be planned now.
🟢 Low — robots.txt AI content signals (non-standard)
The ai-train: no directives are non-standard and not respected by any crawler. They add noise without effect. No harm, but they're not a legal protection mechanism.
Prioritised Fixes
| Priority | Fix | Effort | Impact |
|---|---|---|---|
| 🔴 | Upload /og-image.png (1200×630px) | 30 min | High |
| 🔴 | Create 5–10 content/blog pages targeting audit-related keywords | Ongoing | Very High |
| 🟠 | Expand homepage content to 600–1000 words with clear sections | 2 hrs | High |
| 🟠 | Add FAQ section + FAQPage schema | 1 hr | Medium |
| 🟡 | Add WebSite + individual Review schema | 1 hr | Medium |
| 🟡 | Add a /how-it-works and /pricing page to sitemap | 3 hrs | High |
⚡ Performance & Health — Score: 70 / 100
Stack & Infrastructure
| Element | Value |
|---|---|
| Framework | Next.js (Turbopack, SSR/SSG hybrid) |
| CDN | Cloudflare (confirmed: server: cloudflare, cf-ray header) |
| Compression | Brotli (content-encoding: br) ✅ |
| Protocol | HTTP/2 ✅ |
| Next.js Cache | x-nextjs-cache: HIT — page is pre-rendered ✅ |
| Static Asset Cache | cache-control: public, max-age=31536000, immutable (1 year) ✅ |
| ETag | Present on static assets ✅ |
✅ What's Working
- Cloudflare CDN delivers assets from edge nodes globally — excellent TTFB for most users
- Brotli compression active — reduces transfer size ~15–20% vs gzip, ~70% vs uncompressed
- Static assets cached for 1 year with
immutable— CSS and JS files downloaded once, never re-fetched - Fonts preloaded in
<head>withcrossorigin— eliminates font FOIT (Flash of Invisible Text) - Logo preloaded as
<link rel="preload" as="image">— LCP element loads early - Single image on page (
/logo.svg) — no large image optimisation needed; no WebP conversion required for SVGs - No render-blocking CSS beyond the single stylesheet file
- Pre-rendered at build time (
x-nextjs-prerender: 1) — no server-side compute per request
❌ Issues Found
🟠 High — JavaScript payload is heavy for this page's complexity
| Raw | Compressed (est.) | |
|---|---|---|
| 12 JS chunks | 779 KB | ~234 KB |
| 1 CSS file | 43 KB | ~13 KB |
| HTML | 42 KB | ~12 KB |
| Total | 864 KB | ~259 KB transferred |
A single-page site with one input form and one button should not require 779 KB of JavaScript. This is typical Next.js bundle bloat — the framework ships polyfills, routing machinery, and third-party SDK code (Stripe, Google Tag Manager, Meta Pixel, Google Ads) even when most of it isn't needed on first load. This directly impacts Time to Interactive (TTI) and Total Blocking Time (TBT) on mobile.
Specific concerns:
0.~2ky53fo~10.js: 221 KB — likely a large vendor/polyfill bundle0o59ac8426icc.js: 133 KB03~yq9q893hmn.js: 110 KB0dglssk4t43pk.js: 122 KB
🟠 High — Homepage CDN cache set to 1 year (s-maxage=31536000)
cache-control: s-maxage=31536000
The homepage HTML itself is cached at the CDN edge for 365 days. While x-nextjs-stale-time: 300 hints at a 5-minute revalidation intent, the raw s-maxage value means content updates may not propagate to all edge nodes without a manual cache purge. For a page with testimonials and a live product, this is a risk.
Fix: Set s-maxage to 300–3600 seconds with stale-while-revalidate=86400 for instant-feeling freshness with correct propagation.
🟠 High — Third-party scripts loaded synchronously from external domains
The CSP reveals script loading from:
https://www.googletagmanager.com(Google Analytics)https://connect.facebook.net(Meta Pixel)https://www.googleadservices.com(Google Ads)https://googleads.g.doubleclick.net(Google Ads)https://js.stripe.com(Stripe)
Five external script sources. Each of these adds a DNS lookup, TLS handshake, and download round-trip. GTM, Meta Pixel, and Google Ads scripts are particularly known to delay Largest Contentful Paint and inflate Total Blocking Time on mobile. There are no dns-prefetch or preconnect hints visible for these domains in the HTML head.
🟡 Medium — No explicit fetchpriority="high" on LCP element
The logo (/logo.svg) is preloaded but there's no explicit fetchpriority="high" attribute on the <img> tag itself, which is now recommended for above-the-fold images to signal priority to the browser's resource scheduler.
🟢 Low — No next-gen image formats needed (currently SVG-only)
With only one image (an SVG logo), this isn't an issue now — but any future image additions should use AVIF/WebP with <picture> fallback.
Prioritised Fixes
| Priority | Fix | Effort | Impact |
|---|---|---|---|
| 🟠 | Load GTM/Pixel/Ads tags after page load (defer or consent-gated) | 2 hrs | High |
| 🟠 | Reduce homepage s-maxage to 300–3600s + stale-while-revalidate | 30 min | Medium |
| 🟠 | Audit and split Next.js bundle; remove unused polyfills | 4 hrs | High |
| 🟡 | Add dns-prefetch + preconnect for GTM, Stripe, Meta domains | 1 hr | Medium |
| 🟡 | Add fetchpriority="high" to the logo <img> tag | 15 min | Low |
🔒 Security — Score: 74 / 100
✅ What's Excellent
| Header | Value | Assessment |
|---|---|---|
| HTTPS | TLS 1.3, ECDSA P-256 | ✅ Modern, strong |
| Certificate | Let's Encrypt E7, valid to Jun 21 2026, wildcard *.site-diagnostics.com | ✅ |
| HSTS | max-age=63072000; includeSubDomains; preload (2 years) | ✅ Excellent — preload-eligible |
| X-Frame-Options | DENY | ✅ Blocks clickjacking |
| X-Content-Type-Options | nosniff | ✅ Prevents MIME sniffing |
| Referrer-Policy | strict-origin-when-cross-origin | ✅ Appropriate |
| Permissions-Policy | camera=(), microphone=(), geolocation=(), payment=(self "https://js.stripe.com") | ✅ Well-configured |
| .env file | HTTP 404 | ✅ Not exposed |
| .git/config | HTTP 404 | ✅ Not exposed |
| WordPress admin | HTTP 404 | ✅ Not applicable |
❌ Issues Found
🔴 Critical — www.site-diagnostics.com returns HTTP 525 (SSL Handshake Failure)
https://www.site-diagnostics.com → HTTP 525 (Cloudflare: SSL Handshake Failed)
Cloudflare error 525 means Cloudflare can connect to your origin server but cannot complete a TLS handshake with it for the www subdomain. Despite HSTS includeSubDomains being declared (which promises that www is HTTPS-only), visitors hitting www get a broken page. This is a contradiction that could also create confusion with HSTS preload list validators.
Fix options:
- Add a Cloudflare Page Rule to redirect
www.site-diagnostics.com/*→https://site-diagnostics.com/$1(301) - Or configure the origin server to accept TLS for the www hostname
🟠 High — Content Security Policy uses 'unsafe-inline'
script-src 'self' 'unsafe-inline' ...
style-src 'self' 'unsafe-inline'
'unsafe-inline' in script-src allows any inline <script> tag to execute — this largely defeats the purpose of a CSP for XSS protection. This is almost certainly present because Next.js injects inline scripts for hydration. The modern solution is to use nonces (per-request random tokens) instead of unsafe-inline, which Next.js supports.
'unsafe-inline' in style-src is less severe but still allows arbitrary inline style injection.
🟠 High — No CSP violation reporting
# Missing:
Content-Security-Policy: ...; report-to violations-endpoint
There's no report-uri or report-to endpoint in the CSP. This means any CSP violations (including potential XSS attempts being blocked) are silently discarded. You're flying blind on whether your policy is working or being triggered.
🟡 Medium — CSP connect-src incomplete
connect-src 'self' https://api.stripe.com https://www.google-analytics.com
The connect-src directive is missing:
https://stats.g.doubleclick.net(Google Ads tracking pixel)https://connect.facebook.netandhttps://www.facebook.com(Meta Pixel events)
These third-party fetch requests may be silently blocked by browsers enforcing the CSP, causing broken conversion tracking without any visible error.
🟡 Medium — Certificate expires June 21, 2026 (~67 days)
Let's Encrypt certificates are 90-day and auto-renew via ACME. Confirm auto-renewal is configured and monitored — if the Cloudflare origin pull certificate or the Google Cloud (origin) certificate isn't on auto-renewal, this will cause a 525 error on or before Jun 21, 2026.
🟡 Medium — No Expect-CT header (deprecated but informational)
Expect-CT is deprecated (Chrome removed enforcement in 2022) but was worth noting — the HSTS preload is a stronger alternative and is already in place. ✅
🟡 Medium — Cookie flags not verifiable via headers
The Privacy Policy mentions Stripe, Google Analytics, and Meta Pixel cookies. Without being able to inspect Set-Cookie headers in a browser session, we can't confirm Secure, HttpOnly, and SameSite=Lax/Strict flags. These should be audited in browser DevTools, especially for the consent-tracking cookie.
🟢 Low — unsafe-inline in CSP could block future nonce adoption
If GTM is injecting scripts dynamically, a nonce-based CSP may require GTM configuration changes. Plan this migration carefully.
Prioritised Fixes
| Priority | Fix | Effort | Impact |
|---|---|---|---|
| 🔴 | Fix www 525 error via Cloudflare redirect rule | 15 min | Critical |
| 🟠 | Migrate CSP to nonce-based approach (remove unsafe-inline) | 1 day | High |
| 🟠 | Add report-to CSP violation endpoint | 1 hr | Medium |
| 🟡 | Expand connect-src to cover Meta and Google Ads domains | 30 min | Medium |
| 🟡 | Verify auto-renewal for origin SSL cert before Jun 21 | 30 min | High |
| 🟡 | Audit all Set-Cookie headers for Secure/HttpOnly/SameSite flags | 1 hr | Medium |
✍️ Content & Links — Score: 38 / 100
The Hard Truth About Content
This is the lowest-scoring pillar and the most important one for long-term growth. The site is effectively a single commercial page with two legal pages. That's it.
✅ What's Working
- Homepage copy is clear, benefit-led, and grammatically correct
- Value proposition is immediately obvious ("Free snapshot → £9.99 full report")
- Two real user testimonials provide initial credibility
- Privacy Policy and Terms of Service are well-written and legally complete
- UK GDPR compliance signalling is present and appropriate
- Pricing signal ("from $9.99") is present in the H2 and meta description
❌ Issues Found
🔴 Critical — Near-zero organic keyword footprint
Indexed pages: ~3
Blog posts: 0
Guides/resources: 0
FAQ pages: 0
Use-case pages: 0
Competitor comparison pages: 0
The site has no content that could attract search traffic for the hundreds of high-intent keywords adjacent to its product (e.g., "website seo audit tool", "how to check website speed", "free security scan website", "what is LCP score", "how to fix broken links SEO"). Without content, there is no organic discovery path.
🔴 Critical — Homepage word count: ~240 words
For context, a typical well-ranking commercial landing page has 700–1,500 words. A blog post targeting a keyword needs 1,000–2,500 words. At 240 words, the homepage can rank reliably only for branded queries.
🟠 High — No internal linking architecture
With 3 pages, there is no internal link structure to speak of. Internal links distribute "authority" between pages and help Google understand site structure. A proper site would have dozens of contextual links between content pages, tool pages, and the homepage. This entire dimension of SEO doesn't exist yet.
🟠 High — No backlink-worthy resources
There's nothing on the site that an SEO blogger, a web developer, or a marketing newsletter would naturally link to. No tools (beyond the paid audit), no free checklists, no stat pages, no open datasets. Backlinks are a core ranking signal — the site currently has nothing to attract them organically.
🟡 Medium — Testimonials are anonymous and unverifiable
"Ran it against three client sites and it picked up issues our previous tool had missed."
— An independent SEO consultant from the UK
There's no name, no company, no photo, no link. This reads as potentially fabricated to a sceptical visitor. Real named testimonials with job titles dramatically increase trust conversion.
🟡 Medium — No case study or sample report
The product's value prop is "get a 10+ page audit report." But you can't see what that report looks like before paying. A sample redacted report (or even a screenshot of a few pages) would reduce purchase friction significantly.
🟡 Medium — AggregateRating in Schema: 2 reviews, 5.0 stars
Schema says "reviewCount": "2". This is technically valid JSON-LD, but:
- Google's quality guidelines suggest this is insufficient for rich snippet eligibility
- 5.0/5.0 from 2 reviews signals a lack of data rather than excellence
- No
Reviewobjects with individualauthor+reviewBody— the rating floats without backing evidence
🟢 Low — Email address obfuscated via Cloudflare email protection
<a href="/cdn-cgi/l/email-protection#...">
The email is Cloudflare-obfuscated to prevent scraping. This is fine for anti-spam, but the obfuscation script adds a small JS dependency and may not render correctly for screen readers or users with JS disabled. Consider a visible support email on a /contact page alongside the obfuscated version.
Content Opportunities (Keyword Ideas)
| Target Keyword | Monthly Volume (est.) | Difficulty | Content Type |
|---|---|---|---|
| website seo audit tool | 2,400 | Medium | Landing page |
| free website audit | 8,100 | High | Landing page |
| how to check website speed | 5,400 | Medium | Blog post |
| website security scan | 3,600 | Medium | Landing page |
| what is LCP in seo | 1,900 | Low | Blog post |
| how to fix broken links | 2,900 | Low | Blog post |
| website performance checklist | 1,300 | Low | Resource |
| seo audit checklist | 4,400 | Medium | Resource |
Prioritised Fixes
| Priority | Fix | Effort | Impact |
|---|---|---|---|
| 🔴 | Create a content plan: 10 blog posts on SEO/perf/security topics | 2 weeks | Very High |
| 🔴 | Expand homepage content to 700–1,000 words with clear sections | 2–3 hrs | High |
| 🟠 | Add a /how-it-works page with screenshots and steps | 3 hrs | High |
| 🟠 | Add a /pricing or /plans page | 2 hrs | High |
| 🟡 | Add real named testimonials with photos and titles | 1 hr | Medium |
| 🟡 | Add a /sample-report page (redacted PDF or screenshots) | 2 hrs | High |
| 🟡 | Add /contact page with a form | 2 hrs | Medium |
| 🟡 | Add 5+ Review objects to Schema.org JSON-LD | 1 hr | Medium |
🎨 Design & UX — Score: 62 / 100
✅ What's Working
| Element | Detail |
|---|---|
| Responsive layout | Tailwind CSS with responsive classes (md:flex-row, flex-col) — mobile-first |
| Viewport meta | Correct: width=device-width, initial-scale=1 |
| Skip navigation | <a href="#main-content"> present — screen reader / keyboard accessible ✅ |
| Logo alt text | alt="Site Diagnostics Logo" — correct, descriptive ✅ |
| Aria labels | Six feature icons labelled (aria-label="Seo Issues" etc.) — accessible ✅ |
| Language | <html lang="en"> — screen readers know the language ✅ |
| Single CTA focus | One prominent "START FREE SCAN" button — reduces decision paralysis ✅ |
| Footer landmark | aria-label="Footer" — correct landmark region ✅ |
| Font loading | Two WOFF2 fonts preloaded in head — fast, no FOIT ✅ |
| Stripe trust badge | Payment trust signal present near conversion point ✅ |
❌ Issues Found
🟠 High — No navigation menu
There is no site navigation. The header contains only a logo. With only 3 pages this is technically sufficient — but as the site grows, the absence of navigation becomes a UX problem. There's also no way for a visitor to find the Terms or Privacy pages without scrolling to the footer.
🟠 High — No contact page or support path
If a user has a question before purchasing, there's nowhere obvious to go. The only contact information is a Cloudflare-obfuscated email in the footer. This creates a dead end in the pre-purchase research journey. A visible /contact page or even an inline FAQ section would address this.
🟠 High — Missing visible pricing clarity
The H2 says "from $9.99" but uses a dollar sign ($) while the Schema.org markup says "priceCurrency": "GBP" and the Terms say prices are in GBP. This is a currency inconsistency that could confuse international visitors and undermine trust at the critical conversion moment.
H2 copy: "$9.99" ← dollar sign
Schema: "GBP" ← pound sterling
Terms: "GBP" ← pound sterling
🟠 High — aria-label="Seo Issues" capitalisation (minor but fixable)
The aria label reads "Seo Issues" instead of "SEO Issues". Screen readers will vocalise this as "Seo" (rhymes with "Leo") rather than the abbreviation "S-E-O". A small fix with a real accessibility impact.
🟡 Medium — No visible focus states confirmed
While skip navigation suggests keyboard focus was considered, without rendering the page in a browser we can't confirm visible focus rings on all interactive elements (the scan form input, the CTA button, footer links). WCAG AA requires a visible focus indicator. Tailwind's default outline: none reset can silently strip these.
🟡 Medium — Form has no visible label for the URL input
<form class="flex flex-col md:flex-row items-center gap-3">
<div class="relative flex-grow w-full">
<svg ... > <!-- globe icon -->
<input ... > <!-- URL input -->
The URL input field relies on a globe icon and placeholder text as its label. There is no <label> element and likely no aria-label on the <input>. This fails WCAG 2.1 Success Criterion 1.3.1 (Info and Relationships) and 3.3.2 (Labels or Instructions). Screen readers will announce the field without context.
Fix: Add <label for="url-input">Website URL</label> (visible or visually hidden with sr-only) and corresponding id on the input.
🟡 Medium — Only one image on the entire site
The site is almost entirely typographic. While this keeps it clean and fast, it means:
- There's no product screenshot showing what a report looks like
- There's no visual explanation of the audit process
- Social sharing is completely broken (OG image 404, as noted above)
🟡 Medium — No error state or validation feedback visible in form
The URL input form likely validates URLs, but whether it shows helpful error messages ("Please enter a valid URL") or fails silently is unclear from the HTML. Inline validation with clear, friendly error messages is a UX requirement for any form.
🟢 Low — H2 heading "Free instant snapshot. Full SEO audit tool from $9.99." reads as two sentences
This is both a heading and a pricing claim. Semantically it would be clearer as a subheading above a proper pricing card section, rather than a standalone H2. Minor readability issue.
🟢 Low — Testimonial section has no heading that names it
The H2 "What early users are saying" is present — good — but there are only 2 testimonials below it. The section feels sparse for a dedicated section header. Either add more testimonials or reframe this as an inline trust signal rather than a dedicated section.
Prioritised Fixes
| Priority | Fix | Effort | Impact |
|---|---|---|---|
| 🔴 | Upload /og-image.png to fix social preview (Design + SEO crossover) | 30 min | High |
| 🟠 | Fix currency consistency: choose GBP (£9.99) everywhere | 15 min | High |
| 🟠 | Add aria-label or <label> to URL input field | 15 min | Medium |
| 🟠 | Fix aria-label="Seo Issues" → aria-label="SEO Issues" | 5 min | Low |
| 🟡 | Add a /contact page | 2 hrs | Medium |
| 🟡 | Add navigation header with links to key pages | 1 hr | Medium |
| 🟡 | Add product screenshots to homepage | 2 hrs | High |
| 🟡 | Audit and confirm visible focus states on all interactive elements | 1 hr | Medium |
| 🟡 | Add form validation with friendly error messages | 2 hrs | Medium |
🗺️ Master Priority Matrix
All issues ranked by urgency and impact in one place.
| # | Priority | Issue | Pillar | Time to Fix |
|---|---|---|---|---|
| 1 | 🔴 Critical | /og-image.png returns 404 — social sharing broken | SEO + UX | 30 min |
| 2 | 🔴 Critical | www.site-diagnostics.com returns HTTP 525 — site broken on www | Security + UX | 15 min |
| 3 | 🔴 Critical | No content engine — zero organic growth vector | Content | Ongoing |
| 4 | 🟠 High | Homepage content only ~240 words — extremely thin | Content + SEO | 2–3 hrs |
| 5 | 🟠 High | Currency mismatch: $9.99 in copy vs GBP in schema/terms | UX | 15 min |
| 6 | 🟠 High | URL input has no <label> — WCAG 1.3.1 failure | UX + Accessibility | 15 min |
| 7 | 🟠 High | CSP unsafe-inline weakens XSS protection | Security | 1 day |
| 8 | 🟠 High | 12 JS chunks = ~779 KB for a single-page site | Performance | 4 hrs |
| 9 | 🟠 High | Third-party scripts (GTM, Meta, Ads) block main thread | Performance | 2 hrs |
| 10 | 🟠 High | Homepage s-maxage=31536000 (1 year CDN cache) | Performance | 30 min |
| 11 | 🟡 Medium | No FAQ page or FAQPage schema | SEO | 1 hr |
| 12 | 🟡 Medium | AggregateRating has only 2 reviews — rich snippets unlikely | SEO | Ongoing |
| 13 | 🟡 Medium | No /contact, /how-it-works, /pricing pages | Content + UX | 1 day |
| 14 | 🟡 Medium | CSP lacks violation report-to endpoint | Security | 1 hr |
| 15 | 🟡 Medium | connect-src in CSP missing Meta/Google Ads domains | Security | 30 min |
| 16 | 🟡 Medium | TLS cert expires Jun 21, 2026 — confirm auto-renewal | Security | 30 min |
| 17 | 🟡 Medium | Testimonials are anonymous — add names, titles, photos | Content + UX | 1 hr |
| 18 | 🟡 Medium | No product screenshots on homepage | UX | 2 hrs |
| 19 | 🟡 Medium | aria-label="Seo Issues" — wrong pronunciation for screen readers | Accessibility | 5 min |
| 20 | 🟢 Low | OG description shorter than meta description | SEO | 15 min |
| 21 | 🟢 Low | No dns-prefetch/preconnect for third-party domains | Performance | 1 hr |
| 22 | 🟢 Low | No fetchpriority="high" on logo <img> | Performance | 15 min |
| 23 | 🟢 Low | Sitemap has no index format — plan for future scale | SEO | 1 hr |
| 24 | 🟢 Low | robots.txt AI content signals are non-standard/non-enforceable | SEO | 10 min |
📊 Score Summary
| Pillar | Score | Key Strength | Biggest Gap |
|---|---|---|---|
| 🔎 SEO | 56 / 100 | Good title, description, canonical, schema foundation | No content, no pages, OG image broken |
| ⚡ Performance | 70 / 100 | Cloudflare CDN, Brotli, immutable static caching | Heavy JS bundle, third-party script blocking |
| 🔒 Security | 74 / 100 | Excellent HSTS, all major headers set, no exposed files | www SSL broken, CSP unsafe-inline, no reporting |
| ✍️ Content & Links | 38 / 100 | Clear value prop, good legal pages | Almost no content, no blog, anonymous testimonials |
| 🎨 Design & UX | 62 / 100 | Responsive, accessible foundations, clear CTA | No nav, currency error, missing form label |
| 🌟 Total | 61 / 100 | Strong technical and security baseline | Content and growth engine essentially absent |
Audit produced: April 15, 2026 · Tool stack: curl, OpenSSL, Google PageSpeed API, DOM parsing, HTTP header analysis, DNS lookup, Schema.org validation · Audited by Claude Agent on the Anthropic Claude Agent SDK.