Fix guides
Step-by-step remediation for every finding the WebAuditFix scanner reports. Each guide includes a rationale, the relevant standards / compliance refs, and copy-pasteable code snippets for the 7 most common stacks (nginx, Apache, Cloudflare, WordPress, Flask, Express, Rails).
Security
- Cache-Control on the homepage security.cache_control_homepage
- Cookie Secure / HttpOnly / SameSite security.cookie_flags
- Cross-Origin policies (COOP / COEP / CORP) security.corp_coop_coep
- CORS Access-Control-Allow-Origin not wildcard security.cors_wildcard
- Content-Security-Policy present security.csp
- CSP quality (no unsafe-inline / wildcards) security.csp_quality
- Strict-Transport-Security security.hsts
- HSTS preload eligibility security.hsts_preload
- HTTPS enforced (HTTP → HTTPS redirect) security.https_enforced
- Mixed-content avoidance security.mixed_content
- Permissions-Policy security.permissions_policy
- Referrer-Policy security.referrer_policy
- /.well-known/security.txt security.security_txt
- Server header information disclosure security.server_header
- X-Content-Type-Options nosniff security.x_content_type
- X-Frame-Options / frame-ancestors security.x_frame_options
- X-Powered-By absent / generic security.x_powered_by
GDPR
- Analytics gated behind consent gdpr.analytics_consent_gated
- Cookie consent — runtime verification (informational) gdpr.consent_layer_verified
- Contact email — role addresses only gdpr.contact_email_exposed
- Consent management platform detected gdpr.cookie_consent
- Cookie policy linked gdpr.cookie_policy
- Data controller identified gdpr.data_controller
- Data processing addendum referenced gdpr.dpa_link
- Form privacy notice present gdpr.forms_notice
- Privacy policy linked gdpr.privacy_policy
- Retention statement present gdpr.retention
- Data-subject rights mentioned gdpr.rights_mentioned
NIS2
- Contact / vulnerability-report page reachable nis2.contact_page
- Content-Security-Policy (NIS2 technical measure) nis2.csp
- Strict-Transport-Security (NIS2 technical measure) nis2.hsts
- HTTPS enforced (NIS2 transport security) nis2.https_enforced
- Privacy policy (NIS2 information sharing) nis2.privacy_policy
- Referrer-Policy (NIS2 technical measure) nis2.referrer_policy
- Vulnerability disclosure contact (security.txt) nis2.security_txt
- security.txt Expires field fresh nis2.security_txt_expires
- Server-version disclosure (NIS2 information minimisation) nis2.server_disclosure
- Sitemap.xml (availability signal) nis2.sitemap
- Subresource Integrity (NIS2 supply-chain) nis2.subresource_integrity
- X-Content-Type-Options (NIS2 technical measure) nis2.x_content_type
Technical SEO
- Internal anchor text descriptive (not 'click here') tech.anchor_text_descriptive
- Visible breadcrumb matches BreadcrumbList schema tech.breadcrumb_visible
- <link rel=canonical> present tech.canonical
- Cumulative Layout Shift <=0.1 tech.cls
- Gzip or Brotli compression enabled tech.compression
- HTTPS as Google ranking signal tech.https_for_indexing
- All <img> tags have alt attribute tech.image_alt_text
- Images using modern formats + sizing tech.image_opportunities
- Interaction to Next Paint <=200ms tech.inp
- Largest Contentful Paint <=2.5s tech.lcp
- <meta name=description> present tech.meta_description
- Mobile rendering: viewport + no fixed widths tech.mobile_friendly
- No intrusive mobile interstitials tech.no_interstitials
- Indexing not blocked by robots / X-Robots-Tag tech.noindex_check
- Open Graph tags present tech.og_tags
- Pagination uses self-canonical, no rel=next/prev tech.pagination_handled
- <=1 redirect to reach homepage tech.redirect_chains
- <=2 blocking stylesheets in <head> tech.render_blocking_css
- No render-blocking <script> in <head> tech.render_blocking_js
- robots.txt reachable tech.robots_present
- robots.txt syntactically valid tech.robots_valid
- schema.org JSON-LD present tech.schema_org
- schema.org primary type valid tech.schema_org_type
- sitemap.xml reachable tech.sitemap
- Sitemap URL declared in robots.txt tech.sitemap_in_robots
- <title> 50-60 chars (SERP sweet spot) tech.title_length
- Server response time (TTFB) <=800ms tech.ttfb_real
- URL lowercase, hyphens, short, no special chars tech.url_structure
- Viewport meta strict (no user-scalable=no) tech.viewport_strict
AEO / GEO
- /about page with Organization schema aeo.about_page
- >=1 paragraph in the 40-60 word snippet range aeo.answer_conciseness
- Article / BlogPosting schema with author + datePublished aeo.article_schema
- Author / Organisation identified (schema or byline) aeo.author_entity
- BreadcrumbList schema for site hierarchy aeo.breadcrumb_schema
- dateModified or visible 'Last updated' label aeo.content_freshness
- Second-person / conversational language present aeo.conversational_phrasing
- Definition blocks (<dfn> or 'X is ...') in early content aeo.definition_blocks
- Opening 100 words contain a direct answer aeo.direct_answer
- Outbound links to authoritative sources aeo.external_authority_links
- Single H1; no skipped heading levels (H1->H2->H3) aeo.heading_hierarchy
- HowTo schema present for step-by-step content aeo.howto_schema
- Title / description / canonical / OG / lang / viewport aeo.meta_tags
- H2/H3 headings phrased as questions (>=3) aeo.qa_headings
- schema.org JSON-LD: Organization + FAQPage + Service aeo.schema_markup
- JSON-LD blocks parse without errors aeo.schema_validity
- Speakable schema for voice-engine extraction aeo.speakable_schema
- AI crawlers (GPTBot / ClaudeBot / etc.) not blocked geo.ai_crawlers_allowed
- Author credentials explicit (role / years / cert) geo.author_credentials
- Brand name consistent: title / H1 / schema geo.consistent_brand_name
- /llms.txt present (llmstxt.org convention) geo.llms_txt
- Named external sources / citations geo.named_sources
- Key content not behind accordions / tabs geo.no_hidden_content
- Core content in raw HTML (no JS required) geo.no_js_required
- Original data / statistics present geo.original_data
- Paragraphs 40-80 words (no >120) geo.paragraph_length
- Lists <=60% of total content geo.prose_list_balance
- Quotable summary block (50-100 words near top) geo.quotable_summary
- Organization schema sameAs links (>=2) geo.sameas_profiles
- H2 sections end with a tight summary (long pages) geo.section_summaries
- Sitemap <lastmod> within 90 days geo.sitemap_freshness
- Specific numbers vs vague qualifiers geo.specific_statistics
- Paragraph openers are direct topic statements geo.topic_sentences
Accessibility
- ARIA landmark regions (WCAG 1.3.6 AAA) acc.aria_landmarks
- ARIA attribute validity (WCAG 4.1.2 A) acc.aria_validity
- Colour contrast - inline (WCAG 1.4.3 AA) acc.colour_contrast
- Focus indicator (WCAG 2.4.7 AA) acc.focus_indicator
- Form label associations (WCAG 1.3.1, 3.3.2 A) acc.form_labels
- Heading hierarchy (WCAG 1.3.1, 2.4.6 A/AA) acc.heading_hierarchy
- Image alt text (WCAG 1.1.1 A) acc.img_alt
- Interactive element semantics (WCAG 4.1.2 A) acc.interactive_semantics
- Language declaration (WCAG 3.1.1 A) acc.lang_declaration
- Media captions & transcripts (WCAG 1.2.2, 1.2.3 A) acc.media_transcripts
- Semantic HTML structure (WCAG 1.3.1 A) acc.semantic_structure
- Skip navigation link (WCAG 2.4.1 A) acc.skip_nav
- Table header cells (WCAG 1.3.1 A) acc.table_headers
- Touch target size - inline (WCAG 2.5.5 AAA) acc.touch_targets
- Viewport configuration (WCAG 1.4.4 AA) acc.viewport_meta
Run a free audit on your site
53 checks across security, GDPR, NIS2 and technical SEO — about 10 seconds.
Audit my site →