Site Audit Checklist — 48 Items for Solo Developers

When you ship side projects, it's easy to overlook security and SEO basics. This article walks through the 48-item audit checklist that DevForge uses, across 6 categories (Security 11, SEO 15, LLMO 9, Performance 6, Accessibility 2, Integration 5).

DevForge's site audit auto-checks 48 items across 6 categories: Security 11, SEO 15, LLMO 9, Performance 6, Accessibility 2, Integration 5. Each item scores pass (1pt) / warn (0.5pt) / fail (0pt), normalized to a 100-point score. Below is every item with how-to-check and how-to-fix notes.

Security (11 items)

1. HTTPS

Does your URL use https://? Get a free cert from Let's Encrypt. Caddy / Vercel / Cloudflare handle this automatically.

2. HTTP→HTTPS redirect

Does http:// redirect to https://? Caddy does this by default. Watch for subdomains where the redirect is missing.

3. HSTS (Strict-Transport-Security)

Header that forces browsers to use HTTPS. Add Strict-Transport-Security: max-age=31536000; includeSubDomains.

4. X-Frame-Options

Clickjacking protection. Add X-Frame-Options: SAMEORIGIN or use CSP frame-ancestors.

5. X-Content-Type-Options

MIME sniffing protection. Simply add X-Content-Type-Options: nosniff.

6. Referrer-Policy

Controls how much referrer info is sent. Referrer-Policy: strict-origin-when-cross-origin is a safe default.

7. Server info exposure

Are Server / X-Powered-By headers leaking your middleware version? Remove or mask them so attackers can't map known CVEs.

8. Cookie attributes

Do your Set-Cookie headers include Secure / HttpOnly / SameSite? Basic protection against session theft and CSRF.

9. .env exposure

Is /.env publicly accessible? Highest-severity issue — block it immediately. DevForge actually GETs it and checks for KEY=value content to avoid false positives.

10. .git exposure

If /.git/config is reachable, your entire source can be reconstructed. Exclude .git from deploys or block it explicitly.

11. Mixed Content

Are you loading http:// resources inside https:// pages? Make everything https:// or protocol-relative //.

SEO (15 items)

1. robots.txt

Do you have a crawler control file? Place /robots.txt at the root.

2. sitemap.xml

Is your sitemap referenced from robots.txt? In Next.js, app/sitemap.ts generates it dynamically.

3. Meta title

10-70 character <title> tag. The single most important element for search results.

4. Meta description

50-160 character description. Major impact on click-through rate.

5. Viewport

Mobile optimization meta. <meta name="viewport" content="width=device-width, initial-scale=1">

6. Canonical URL

7. OGP tags

og:title, og:description, og:image — essential for social share previews.

8. Twitter Card

Is twitter:card (e.g. summary_large_image) set? Optimizes how links render on X (Twitter).

9. H1 tag

Exactly one H1 per page. Zero is terrible, multiple is confusing.

10. lang attribute

<html lang="en"> or similar. Required for multilingual sites.

11. favicon

Is /favicon.ico or <link rel="icon"> present? Also make sure it isn't returning an empty (0-byte) file.

12. apple-touch-icon

Icon for iOS 'Add to Home Screen'. Add <link rel="apple-touch-icon" href="...">.

13. theme-color

14. robots meta tag

Page-level indexing directive like <meta name="robots" content="index,follow">. Make sure you didn't ship with noindex by mistake.

15. hreflang

For multilingual sites, <link rel="alternate" hreflang="..."> tells search engines how language variants map. Not applicable to single-language sites.

LLMO (9 items)

For background, read "What is LLMO" and the "llms.txt Complete Guide". The 9 audited items:

1. llms.txt

Is /llms.txt or /llms-full.txt installed? A Markdown file describing your site and key links for AI.

2. AI crawler access

Are GPTBot / ClaudeBot / PerplexityBot / Google-Extended blocked in robots.txt? Allow them if you want citations and traffic.

3. JSON-LD

Is schema.org structured data embedded via <script type="application/ld+json">?

4. schema.org type

Is the JSON-LD @type meaningful (WebSite / Article / SoftwareApplication) rather than just a generic Thing?

5. Semantic HTML

Does your structure use <article> / <main> / <section> / <nav> / <header> / <footer>?

6. Image alt coverage

Alt attributes help LLMs understand images — 80%+ coverage is the target to pass.

7. Content extractability

AI crawlers don't run JS, so your HTML needs substantial static text (1000+ chars to pass). Use SSR/SSG.

8. Article metadata

Do article pages carry BlogPosting data (datePublished / author)? Helps AI judge the source and freshness.

9. RSS/Atom feed

Is there a machine-readable RSS/Atom feed? Helps AI agents and readers detect new content.

Performance (6 items)

1. Response time

Is the initial HTML response fast enough? Slow responses hurt both Core Web Vitals and bounce rate.

2. Compression (gzip/br)

Is Content-Encoding gzip or brotli applied? Dramatically cuts text transfer size.

3. Cache-Control

Do static assets have proper Cache-Control? Makes repeat visits much faster.

4. HTML size

Is your HTML bloated? Consider splitting out huge inline JSON or CSS.

5. Image width/height

Do <img> tags specify width/height (or aspect-ratio)? Prevents layout shift (CLS).

6. Image lazy loading

Do below-the-fold images use loading="lazy"? Reduces initial load.

Accessibility (2 items)

1. ARIA landmarks

Are key regions marked with <main> / <nav> / role attributes? Improves navigation for screen-reader users.

2. Form labels

Are inputs tied to a <label> or aria-label? Helps both usability and machine readability.

Integration (5 items)

1. Google Analytics

Is GA4 tracking installed and linked in DevForge's integration settings?

2. Search Console

Is your site registered with Search Console and linked to DevForge? Required for query analytics.

3. AdSense

If you use AdSense, is the tag installed? If not, mark it 'excluded' per project.

4. ads.txt

If you use AdSense, is /ads.txt installed to prevent ad fraud?

5. PWA manifest

A manifest.json enables 'Add to Home Screen'. Sites that aren't PWAs can mark this excluded.

Automate it

Checking all 48 items manually is a pain. DevForge's site audit tool runs the entire checklist in about a minute and shows specific fixes for every issue. Items that don't apply to your site (e.g. AdSense) can be marked 'excluded' per project so they don't affect your score — free, no signup.