Methodology

How the grade is made.

Every scan runs 187 checks against the real site: the real robots.txt, the real headers, the real TLS handshake, the real DNS records, up to 150 real pages. 164 checks are graded. 23 are informational only, observed and reported but never scored, because the evidence does not support grading them. This page is the full method: where checks come from, how they become one number, what every check weighs, and what that number honestly cannot tell you. The complete check table is at the bottom, generated from the engine's own registry.

Sources

A check exists only if a published source backs it.

The 116 scored on-page checks are grounded in official search engine documentation, primarily Google's published Search documentation. If Google documents it as a requirement or a stated signal, it can become a check. If it is folklore, it cannot. That is why AuditLamp has no title character-count rule: Google documents no such limit, so we refuse to grade one.

The 48 Vibe Audit checks each map to a named public standard: an OWASP project, an IETF RFC, a CWE entry, a WCAG 2.2 Success Criterion, or a named privacy law. The check-by-check mapping ships in the product; every finding cites its standard next to the verdict.

When guidance changes, checks change, on a stated cadence. An automated watch reads Google's published Search documentation changelog every day, and the key Search documentation pages are baselined for content-level diffs so a reworded requirement is caught even without a changelog entry. When a revision affects a check, the check updates and the finding prints its citation date, so a verdict never quietly rests on stale guidance. One example on the record: Google's July 10, 2026 guide revision was picked up and the affected citations were live within a day.

The math

187 run. 164 graded. One blended number.

The on-page score comes from the 116 scored SEO, AEO and GEO checks with proportional credit: a check that passes on 9 of your 10 pages earns 90% of its weight, not zero. One bad page dents the score; it does not erase the 9 good ones.

The overall grade is 70% on-page score, 30% Vibe Audit. The Vibe portion is the mean of three pillars graded independently on an A+ to F band, the same style of band security scanners like SSL Labs use: security (23 checks: TLS, headers, exposed files, cookies, email authentication), accessibility (18 checks against WCAG 2.2 automatable criteria), and privacy (7 checks: trackers, consent, policy substance).

Severity is graded, not binary. Findings are split into fails, warns and threshold cases so a missing nice-to-have reads as a warn, never a catastrophe. One rule is deliberately blunt: a genuine site-breaking failure, like crawlers blocked from the entire site, caps the headline score at 79, names the exact failure on the report, and prints the score the site rises to once it is fixed. A high score with a broken front door would be a lie; the cap is how we refuse to tell it.

Edge cases are graded conservatively. A page with nothing for a given check to measure is excluded from that check's denominator: it is neither a pass nor a fail, so absence of evidence never inflates a score. A check that finds nothing to measure anywhere on the site reports exactly that ("observed across N pages, never scored") instead of rendering a green pass for measuring nothing. Failing pages reduce the passing fraction; a site we cannot reach at all voids the scan (and returns the free-scan slot) rather than being graded on pages we never read.

The 23 informational checks are observed across the crawl and reported with their evidence, but excluded from every score. When a check has nothing to measure on a site, it says so; it never renders as a green pass for measuring nothing.

Evidence

Fetched, not estimated.

AuditLamp reads the live site the way crawlers do. A scan fetches the real pages (desktop and mobile), the real robots.txt and sitemap, llms.txt if present, performs a real TLS handshake, resolves SPF and DMARC over DNS, and probes well-known paths that should never be public. AI-crawler access is tested by named agent: Googlebot, Bingbot, GPTBot, ClaudeBot, PerplexityBot, Google-Extended.

Link-graph authority comes from our own index of the public Common Crawl domain graph: 121 million domains, 3.9 billion domain-to-domain links, rebuilt as Common Crawl publishes new data on its roughly monthly cycle. The score is the domain's harmonic-centrality position converted to 0 to 100 with a disclosed formula, authority = 100 * (1 - ln(harmonic_pos) / ln(N)), where N is the number of ranked domains. Referring-domain counts come from the same graph, deduplicated so one domain linking many times counts once. A domain absent from the graph is reported as "not in the index we read", never given an invented number.

What needs a rendered browser, we do not fake. Colour contrast, keyboard operability and runtime tracker capture require a real rendered page, so they are out of scope for the passive scan and documented as such, not silently graded.

Ground truth

The score is a hypothesis. Your rankings are the truth.

An audit score measures whether your site meets the documented requirements engines state. It is not a ranking prediction, and any tool that sells its score as one is overclaiming. The honest loop: fix what the scan names, then verify against reality. That is why the product connects to your own Google Search Console data, real queries, clicks and positions, so the grade gets checked against the only numbers that matter.

We run the method on ourselves. auditlamp.com is scanned by the same public engine, and the homepage pins the resulting report with a link anyone can open. The pinned report is immutable: a later scan cannot silently repaint the published number. When our own scan finds a fail, it stays on the report until we fix it for real.

Limits

What a clean grade does not mean.

Security: a clean pillar means nothing was exposed at the surface of a passive scan. It is not a penetration test and we never call it one.

Accessibility: automated tooling catches roughly 30 to 40% of WCAG. A clean pillar means no automatically detectable barriers were found, never "WCAG compliant" or "ADA compliant".

Privacy: observable signals only. Not legal advice, not a compliance certification.

These caveats print on the report itself, attached to every pillar grade. A tool that grades honestly has to state what its grades cannot see.

Full catalog of named checks: what we check. The plain-language story: how it works.

Appendix: the full graded set

Every check, its job, and its weight.

This table is generated directly from the engine's check registry (registry version 0.2.0, regenerated 2026-07-17), so it cannot drift from what actually runs. Weights are relative within the on-page score; a weight-10 check moves the score ten times more than a weight-1 check. Vibe Audit weights work the same way inside their own pillar grade. The 23 informational checks carry no weight anywhere: they are observed and reported, never scored.

The 116 scored on-page checks

Gate: can machines reach you at all (8 checks)

check idwhat it verifiesweight
gate.crawlableSearch crawler access10
gate.ai_bot_accessAI crawler access9
gate.bot_reachabilityFirewall and CDN bot access6
gate.indexableIndexing permission10
gate.renders_no_jsContent without JavaScript8
gate.sitemapSitemap5
gate.sitemap_qualitySitemap quality4
gate.robots_qualityrobots.txt quality3

Core: do you answer what people search (29 checks)

check idwhat it verifiesweight
core.titlePage title8
core.meta_descriptionMeta description5
core.h1Main heading (H1)6
core.structured_dataStructured data (JSON-LD)7
core.schema_completeRequired schema fields5
core.answer_blockAnswer near the top7
core.content_depthContent depth7
core.mobile_parityMobile and desktop parity5
core.entity_consistencyBusiness identity markup4
corpus.unique_titlesUnique page titles7
corpus.duplicate_contentDuplicate content across pages5
core.topic_targetTopic targeting6
core.geo_targetService + place targeting6
core.nap_consistencyBusiness identity (NAP) consistency6
core.local_schemaLocal business structured data5
corpus.site_structureSite structure (pages that can rank)6
core.canonical_conflictsCanonical signal conflicts6
corpus.canonical_targetsCanonical target health5
corpus.sitemap_hygieneSitemap vs crawl hygiene4
core.trust_pagesReal-business trust pages6
corpus.near_duplicateNear-duplicate pages5
core.answer_positionAnswer-first structure4
core.ai_bot_matrixAI bot policy matrix4
core.tel_clicktapTap-to-call phone link2
core.hours_markupOpening hours in structured data2
core.geo_coordinatesMap-pin data (geo or full address)1
core.schema_visible_parityStructured data matches the visible page3
core.schema_review_integritySelf-serving review markup4
corpus.city_swapCity-swapped template pages4

Amplifier: edges that lift a solid core (38 checks)

check idwhat it verifiesweight
core.llms_txtllms.txt file2
corpus.unique_metaUnique meta descriptions4
corpus.internal_linksInternal links4
corpus.anchor_textLink anchor text3
amp.question_headersQuestion-style headings3
amp.snippet_eligibleAI Overviews eligibility6
amp.canonicalCanonical URL4
amp.open_graphSocial sharing tags3
amp.heading_orderHeading order2
amp.hreflangLanguage targeting (hreflang)2
amp.author_bylineAuthor byline3
amp.freshnessHonest dates3
amp.indexnowIndexNow key1
amp.field_cwvReal-user speed data2
corpus.hreflang_reciprocityhreflang return links2
corpus.link_depthClick depth2
amp.service_pagesService page coverage4
amp.location_pagesLocation pages vs doorway risk5
amp.semantic_tablesExtractable tables and lists2
amp.title_rewrite_riskTitle rewrite risk3
amp.site_nameSite name markup2
amp.citable_factsCitable sourced facts2
amp.passage_structurePassage structure2
amp.og_image_validSocial preview image (og:image)2
amp.robots_directivesRobots directive conflicts and noarchive3
corpus.orphan_pagesOrphan pages (sitemap vs internal links)3
corpus.crawl_trapsCrawl traps (parameter and calendar URL explosion)2
corpus.sitemap_lastmodSitemap lastmod accuracy2
amp.schema_breadcrumbBreadcrumb markup validity3
amp.schema_articleArticle markup quality3
amp.schema_productProduct markup quality4
amp.schema_merchant_fieldsMerchant listing fields2
amp.schema_faqFAQ markup structure2
amp.schema_person_authorAuthor markup quality2
amp.schema_videoVideo markup2
amp.schema_dates_consistencySchema date consistency2
amp.homepage_proofHomepage proof sentence2
amp.content_stalenessContent age (18-month staleness)2

Hygiene: leaks that drain earned authority (41 checks)

check idwhat it verifiesweight
corpus.broken_linksDead links4
hyg.httpsHTTPS4
hyg.redirectsRedirects3
hyg.mixed_contentInsecure assets3
hyg.image_dimensionsImage dimensions2
hyg.page_weightPage speed basics2
hyg.viewportMobile viewport3
hyg.img_altImage alt text2
hyg.html_langPage language2
hyg.not_found404 error handling2
hyg.host_consistencyOne site address3
hyg.soft_404Soft 404 pages2
hyg.head_validityHead section integrity4
hyg.url_structureURL structure3
corpus.link_qualityInternal link quality3
hyg.redirect_qualityRedirect technique3
hyg.keyword_stuffingKeyword stuffing3
hyg.hidden_textHidden text2
hyg.placeholder_textPlaceholder content2
hyg.faviconFavicon2
hyg.server_responseServer response and compression2
hyg.folklore_flagsSEO folklore on this site1
hyg.meta_charsetCharset declaration position1
hyg.multiple_titlesTitle element placement2
hyg.base_hrefBase URL override1
hyg.charset_conflictCharset agreement (header vs page)1
corpus.redirected_internal_linksRedirected internal links2
corpus.url_case_consistencyURL case and trailing-slash consistency1
hyg.js_navigationCrawlable navigation links2
hyg.iframe_main_contentMain content inside iframes1
hyg.img_lazy_strategyImage lazy-loading strategy2
hyg.img_responsiveResponsive images2
hyg.img_formatsModern image formats1
hyg.render_blocking_scriptsRender-blocking scripts2
hyg.dom_sizePage complexity (DOM size)2
hyg.third_party_scriptsThird-party scripts2
hyg.font_deliveryFont delivery2
hyg.heavy_embedsHeavy embeds2
hyg.inline_data_urisInline image payloads1
hyg.schema_syntaxJSON-LD syntax2
hyg.local_folkloreLocal SEO folklore (keyword domains, stuffed names)1

The 48 Vibe Audit checks (graded per pillar, 30% of the overall)

Security pillar (23 checks)

check idwhat it verifiesweight
sec.secrets_exposedExposed secret keys in page source10
sec.source_mapsPublished source maps3
sec.vuln_libsOutdated libraries with known CVEs5
sec.form_action_httpsForms submit over HTTPS8
sec.tls_certTLS certificate validity10
sec.tls_protocolModern TLS protocol7
sec.https_redirectHTTP redirects to HTTPS7
sec.hstsHSTS (Strict-Transport-Security)5
sec.cspContent-Security-Policy7
sec.clickjackingClickjacking protection5
sec.nosniffX-Content-Type-Options: nosniff4
sec.referrer_policyReferrer-Policy3
sec.permissions_policyPermissions-Policy3
sec.cors_wildcardCORS not overly permissive7
sec.server_tokensServer version not disclosed3
sec.cookie_flagsCookie security flags5
sec.security_txtsecurity.txt (RFC 9116)2
sec.dotenv_exposed.env file not exposed10
sec.git_exposed.git folder not exposed10
sec.spfSPF email-authentication record5
sec.dmarcDMARC email-authentication record5
sec.sriSubresource Integrity on third-party scripts5
sec.exposed_filesNo exposed backup/config artifacts10

Accessibility pillar (18 checks)

check idwhat it verifiesweight
a11y.langPage language declared (WCAG 3.1.1)6
a11y.img_altImages have alt text (WCAG 1.1.1)8
a11y.form_labelsForm fields labeled (WCAG 1.3.1/3.3.2)8
a11y.page_titlePage has a title (WCAG 2.4.2)6
a11y.heading_orderHeading levels not skipped (WCAG 1.3.1)4
a11y.link_nameLinks have discernible text (WCAG 2.4.4)7
a11y.button_nameButtons have accessible names (WCAG 4.1.2)6
a11y.viewport_zoomZoom not disabled (WCAG 1.4.4/1.4.10)6
a11y.landmarksMain landmark present (WCAG 1.3.1/2.4.1)4
a11y.skip_linkSkip-to-content link (WCAG 2.4.1)2
a11y.tabindex_positiveNo positive tabindex (WCAG 2.4.3)3
a11y.iframe_titleIframes titled (WCAG 4.1.2/2.4.1)4
a11y.autoplay_mediaNo uncontrolled autoplay (WCAG 1.4.2)4
a11y.video_captionsVideo captions track (WCAG 1.2.2)5
a11y.table_headersData tables have headers (WCAG 1.3.1)3
a11y.duplicate_idUnique element ids (legacy WCAG 4.1.1)2
a11y.aria_misuseARIA used correctly (WCAG 4.1.2)4
a11y.alt_qualityAlt text is meaningful (WCAG 1.1.1)4

Privacy pillar (7 checks)

check idwhat it verifiesweight
priv.policy_linkPrivacy policy linked (GDPR/CCPA)7
priv.cookie_consentCookie consent when tracking (ePrivacy)7
priv.trackersThird-party trackers disclosed3
priv.google_fonts_cdnGoogle Fonts self-hosted (GDPR)5
priv.preconsent_cookiesNo tracking cookies before consent (ePrivacy)7
priv.embed_leaksNo IP-leaking third-party embeds (GDPR)5
priv.policy_contentPrivacy policy has substance (GDPR Art. 13/14)5

The 23 informational checks (never scored)

Observed and reported only (23 checks)

check idwhat it verifies
hyg.custom_404Helpful 404 page
hyg.hstsHSTS header (security signal)
hyg.nosniffX-Content-Type-Options (security signal)
hyg.referrer_policyReferrer-Policy header (privacy signal)
hyg.clickjackingClickjacking protection (security signal)
hyg.cspContent-Security-Policy (security signal)
core.train_vs_retrieveAI crawler posture (train vs retrieve)
amp.llms_full_txtllms-full.txt reference
hyg.twitter_cardX (Twitter) card tags (preview signal)
hyg.feed_discoveryRSS/Atom feed (syndication signal)
hyg.target_blank_noopenerNew-tab link rel=noopener (security etiquette)
hyg.map_presenceEmbedded map (convenience signal)
hyg.preconnect_hintsEarly connection hints (performance signal)
hyg.schema_howto_deprecatedHowTo markup (retired rich result)
hyg.cookie_flagsCookie flags (security signal)
hyg.permissions_policyPermissions-Policy header (privacy signal)
hyg.coop_corpCross-origin isolation headers (security signal)
hyg.server_version_leakServer version disclosure (security signal)
hyg.sri_third_partySubresource Integrity on third-party scripts (security signal)
hyg.cache_control_htmlCache-Control on the HTML document (delivery signal)
corpus.service_dead_endsService pages without a next step (conversion signal)
amp.qa_coverageQ&A markup coverage on question pages (answer-engine signal)
hyg.offsite_profilesOff-Google platform links (discovery signal)

Run the method on your site.

what we check · pricing · guides