WQI.web​qualityindex
Method v1.2.0 86 live / 86 total factors methodology

Homecloudflare.com

cloudflare.com

Below Web Standards
Score withheldSite does not meet Web Standards

verdict counts33 pass1 warn10 fail21 n/a·method v1.2.0·scanned 2026-04-29

Fix these to meet Web Standards

Each item below is a binary check — pass or fail. Until they all pass, the contribution score is withheld.

  • Valid heading hierarchy · accessibility
    headings=1|6|6|2|3|2|2|6|3|6|3|6|2|2|4|4|4|3|3|3|2|6|6|6|6|6|6|2|5|5|5|5|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|2|5|5|5, h1_count=1, skips=8
  • Operator is identifiable · identity
    No identifiable operator (no Organization schema, no About page found)
  • No critical mixed content · functional
    Page references HTTP assets on HTTPS context

Web Standards · 3 failing

The table-stakes layer — every site either meets these or doesn’t. The Web Quality score is computed only when Web Standards passes.

Functional

fail2/3

Preconditions for being scored at all — the site responds, isn't on a phishing blocklist, and isn't a parked / for-sale page.

  • Site respondsprecondition
    HTTP 200
  • Not on safe-browsing blocklist
    not measured — dbl_query_refused
  • No deceptive redirectprecondition
    Final host matches requested (cloudflare.com)
  • No critical mixed content
    Page references HTTP assets on HTTPS context

Security

pass4/4

The minimum security baseline every site on the modern web should meet — valid TLS, baseline email auth, no exposed admin surfaces.

  • Valid TLS certificate
    ssl_days_remaining=364.9995883912037, not_after=2027-04-28T07:45:19.000Z, source=url_scanner
  • No exposed sensitive paths
    total_checked=6
  • DMARC published
    present=true, policy=reject
  • SPF record present
    present=true, raw="v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all", qualifier=hardfail
  • No WordPress user enumeration
    n/a — not_wordpress

Legal

pass2/2

The legal disclosures the site is required to publish for the visitors it serves, based on jurisdiction and what data it collects.

  • Privacy policy published
    found=true, href=/trust-hub/trust-and-safety/, text=Trust, privacy, and complianceCompliance information and policies, source=homepage_link
  • Terms of service published
    found=true, href=https://www.cloudflare.com/terms/, text=view, source=homepage_link
  • Cookie consent (where required)
    Not applicable to this site
  • CCPA opt-out link
    Not applicable to this site

Accessibility

fail1/2

The minimum WCAG-aligned accommodations every site owes the humans who land on it — readable contrast, alt text, navigable structure.

  • Image alt text coverage
    total=76, with_alt=76, missing=0, pct=100
  • Sufficient color contrast
    not measured — requires_browser_rendering
  • Valid heading hierarchy
    headings=1|6|6|2|3|2|2|6|3|6|3|6|2|2|4|4|4|3|3|3|2|6|6|6|6|6|6|2|5|5|5|5|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|2|5|5|5, h1_count=1, skips=8

Identity

fail2/3

Whether the site is honest about who runs it and how a visitor can reach a real human.

  • Operator is identifiable
    No identifiable operator (no Organization schema, no About page found)
  • At least one contact channel
    Contact form detected
  • Branded domain email
    branded=true, provider=generic

In plain English · 7 questions, drilling down to the 98 factors

A reader-first rollup. Each card maps to the underlying factors — click to expand, or scroll for the full technical breakdown.

Can people find this site?

fail63
4 of 8 failing — expand to see which.
4 pass · 4 fail · 7 n/a
  • Hidden labels that explain your business to Google
    Behind the scenes, your pages can carry small tags that tell Google whether you're a restaurant, a dentist, or a law firm — and your hours, prices, and reviews. Without them, Google has to guess, and the rich result with stars and photos goes to a competitor instead.
  • Whether your behind-the-scenes labels are valid
    The hidden tags that describe your business to Google only work if they're written correctly. A typo or wrong format and Google ignores them, so the stars, hours, and prices never show up next to your listing.
  • A trail showing where visitors are on your site
    Those little 'Home > Services > Teeth Whitening' trails help Google understand how your pages connect, and they often appear right inside your search result. Without them, your listing looks plainer than competitors'.
  • How well your site feeds AI the right facts
    When ChatGPT or Perplexity describes your business, they're pulling from the structured details on your site. The thinner those details, the more the AI guesses — and the more often it gets your hours, prices, or services wrong.
  • How your site appears when shared or in search results
    The headline, blurb, and image that show up when someone posts your site on Facebook, sends it in iMessage, or sees it in Google. If they're missing or wrong, you look unfinished or attract the wrong clicks.
  • A clear headline on every page
    Every page should announce, in one obvious sentence, what it's about. When that's missing, Google and skim-reading visitors both lose the thread of what you do.
  • Telling Google which language a visitor should see
    If you serve customers in more than one language or country, your site needs to tell Google which version is for whom. Otherwise a Spanish-speaking customer might land on your English page and bounce.
  • How easy it is to reach your deepest pages
    If a customer or Google has to click five or six times from your homepage to find a service or product page, most never make it. Important pages should be two or three clicks away, max.
  • A map of your site for search engines
    Google needs a list of every page you want it to find, plus a note about which ones to skip. Without it, parts of your site quietly go missing from search results.
  • Common questions answered in a Google-friendly way
    When your FAQs are formatted the way Google likes, your answers can show up directly in search — sometimes before anyone even clicks. That's free real estate competitors are taking from you.
  • Whether you're listed with the Better Business Bureau
    Older customers and people considering a big-ticket purchase still check the BBB. An accreditation badge — or just a clean profile — quietly answers the question 'is this business real and reachable if something goes wrong?'
  • Visitor privacy on hostile networks
    Hides which website a visitor is opening from coffee-shop WiFi, corporate proxies, and government censors. It's a newer feature, so having it on is a real sign your site is keeping up with the modern web.
  • A summary file for AI assistants
    ChatGPT, Claude, and Perplexity look for a small text file at /llms.txt to understand what your business is and what to say about it. Without it, they guess, and the guess is often wrong.
  • Whether you're letting AI assistants read your site
    Your site can quietly tell ChatGPT, Claude, and Google's AI to stay out — or to come in. If you're blocking them by accident, you're invisible when customers ask AI for a recommendation in your category.
  • A direct line for AI assistants to your business
    A small file you can publish lets AI tools talk to your site directly — checking availability, prices, or booking. Without it, you're missing out as customers shift from Googling to asking ChatGPT.

Is it safe to visit?

pass95
Visitors are protected from impersonation, eavesdropping, and known attacks.
4 pass · 17 n/a
  • Your site uses up-to-date encryption
    Older versions of the encryption that powers the padlock have known holes and were retired by every major browser years ago. If your server still accepts them, security scanners and payment processors will start flagging you.
  • Your padlock isn't about to expire
    The little padlock next to your address bar comes from a certificate that has to be renewed on a schedule. If it lapses, every browser slams a full-screen red warning in front of your customers and they bounce.
  • Private files aren't open to the public
    Things like login pages, admin panels, and developer files should never be reachable by a stranger typing a guess into their browser. When they are, they become the front door for an attack.
  • Forgotten subdomains aren't an open door
    If you ever spun up something like blog.yoursite.com or shop.yoursite.com and later abandoned it without cleaning up the DNS, a stranger can sometimes claim that address and put their own content under your name.
  • Browser-level protections for visitors
    Hidden settings your site sends to a visitor's browser to block common attacks like fake login overlays, hijacked sessions, and content sniffing. Modern hosting platforms set them by default; older custom-built sites often don't.
  • WordPress isn't leaking your usernames
    A default WordPress setting publishes a list of every login name on your site, which attackers feed straight into password-guessing tools. Turning it off takes one plugin or one line of config.
  • Your domain can't be quietly hijacked
    An extra signature on your domain settings that stops attackers on shared WiFi or shady networks from rerouting your customers to a fake version of your site. Most domain registrars offer it as a one-click toggle.
  • Only your approved vendors can issue your padlock
    A short list at your domain registrar that names which companies are allowed to issue security certificates for your site. Without it, a sloppy or compromised certificate vendor anywhere in the world could mint a fake one for your domain.
  • Your site is on the browser-baked-in safe list
    An opt-in list shipped inside Chrome, Safari, and Firefox themselves. Once your domain is on it, browsers will never let a visitor fall back to an unencrypted connection — even before they've ever visited you.
  • Your domain isn't on a spam blocklist
    Anti-virus tools, email filters, and corporate firewalls share lists of domains tied to malware or scams. If yours lands on one — even by mistake — your emails go to spam and your site gets blocked at offices and schools.
  • The padlock uses strong, modern math
    Inside every encrypted connection there's a recipe — newer recipes are bank-grade, older ones have known weaknesses. If your server still falls back to the old ones, security scanners and cyber-insurance audits will flag it.
  • Old recordings stay locked even if a key leaks
    If someone ever steals your server's master key, well-built encryption still protects every conversation that happened before the theft. Without it, an attacker who quietly recorded traffic for years can suddenly read all of it.
  • Your padlock isn't using outdated keys
    The certificate behind your padlock is signed with a kind of math that has to keep up with the times. Old, short keys are being phased out — sites still using them will start showing warnings in browsers.
  • Your padlock loads cleanly on every device
    Browsers can usually paper over a half-installed certificate, but phones, apps, and older email clients can't — they'll show an error and refuse to connect. This is one of the most common silently-broken setups on the web.
  • Visitors connect faster on the first click
    A small efficiency where your server checks once that the certificate is still valid and shares the answer with everyone, instead of every visitor's browser making its own trip across the internet to ask. Faster page loads, better privacy.
  • Your certificate is publicly logged
    Every legitimate certificate today gets recorded in a public ledger so fake ones get caught quickly. Browsers refuse to trust certificates that skip this step, and yours needs at least two log entries to clear the bar.
  • Future-proof against tomorrow's computers
    Researchers worry that quantum computers, when they arrive, could crack today's encrypted recordings after the fact. The newest encryption recipes already protect against that — and Chrome and Cloudflare turned them on in 2024.
  • Your padlock renews on a healthy schedule
    Short-lived certificates that auto-renew are the new normal — they prove your renewal automation works and limit the damage if a key ever leaks. Multi-year certificates from old paid vendors are increasingly seen as a smell.
  • Strict mode for your padlock check
    An advanced setting that tells browsers to refuse the connection if the freshness check on your certificate goes missing, instead of quietly accepting it. Rarely turned on — when it is, it's a clear sign someone competent runs the server.
  • Your padlock comes from a reputable vendor
    Some certificate vendors have been kicked out of browsers in the past for sloppy practices. Sticking with a well-known name — Let's Encrypt, DigiCert, Cloudflare, Google, Sectigo — means your padlock keeps working on every device for years.
  • Your site finishes its handshake quickly
    Before a page can even start loading, the browser and server have a quick back-and-forth to set up the encrypted connection. When that takes too long, every first-time visitor feels the lag — and Google notices it too.

Is it fast?

fail77
2 of 7 failing — expand to see which.
5 pass · 2 fail · 5 n/a
  • Your photos are saved in modern formats
    Older photo formats can be five times heavier than newer ones, so your homepage drags on a phone and Google notices. Most hosts and platforms can convert your images automatically.
  • Photos lower on the page wait their turn
    When every image loads at once, the top of your page stalls because the phone is busy fetching pictures nobody can see yet. Loading them as a visitor scrolls is a one-line fix that makes the first screen pop in faster.
  • Your homepage isn't bloated
    A homepage that weighs several megabytes punishes anyone on cell service and silently knocks down your Google ranking. Usually the bulk is one giant hero image or a stack of unused plugins.
  • Your site uses a modern web connection
    An older connection style makes every image, font, and script load one after another instead of together — so your phone visitors wait longer than they should. Flipping this on is usually a single setting at your host.
  • Pages get squeezed before they're sent
    Without compression, your visitors download files that are roughly four times bigger than they need to be — burning their data plan and your search ranking. Every modern host supports this; it's almost always just a checkbox.
  • Your site uses the newest connection style
    The latest version of the web's delivery protocol shaves real time off how fast your site feels, especially on spotty mobile networks. It's a free upgrade that better hosts and CDNs already include.
  • Reachable on the modern internet
    A growing share of phone and home networks now use the newer addressing system. Sites stuck on the old one get a small but real ranking nudge against them and load slower for those visitors.
  • How fast your site loads on a phone
    Google's mobile-first index means slow sites rank lower in search and lose visitors before the page paints. Most fixes are configuration changes, not rebuilds.
  • How fast your site loads on a laptop
    Even if most visitors are on phones, a sluggish desktop experience hurts the customers most likely to fill out a long form, book a service, or buy something expensive.
  • How real visitors actually experience your speed
    Google quietly collects loading times from actual Chrome users on your site and uses that — not lab tests — to decide your search ranking. If real visitors are seeing slow pages, your rankings already feel it.
  • Your text shows up while fonts load
    If custom fonts aren't set up right, your headlines stay blank for a second or two — visitors see a flash of nothing where your name should be, then bounce. The fix is one line of code at the font.
  • You're not shipping code visitors don't use
    Themes and page builders often ship piles of features your site never uses, and the visitor's phone has to download all of it anyway. Trimming this is the single biggest speed win on most small-business sites.

Is the business real?

fail87
1 of 7 failing — expand to see which.
6 pass · 1 fail · 7 n/a
  • Your reviews on Trustpilot
    For online stores and B2B services, Trustpilot is often the first place a cautious buyer checks. An empty profile, or no profile at all, makes it easy to walk away from the purchase.
  • How long your site has been online
    Public web archives quietly record when your site first appeared and how often it's updated. A site with years of history reads as established; a site that just popped up reads as a pop-up.
  • Whether anyone's written about you lately
    Recent news mentions — local paper, industry blog, podcast — tell both customers and Google that your business is active and relevant. A long silence reads as a business that's gone quiet.
  • How long your domain has existed
    First-time visitors and fraud-detection systems both treat brand-new domains as suspicious by default. A domain registered yesterday tells the same story to humans and to spam filters.
  • Whether you have a Wikipedia entry
    A Wikipedia page is one of the strongest signals to Google and AI assistants that you're a real, notable business. Most small businesses don't have one — but if you're big enough, missing it is a wasted credibility win.
  • Your company page on LinkedIn
    B2B buyers, recruits, and reporters all check LinkedIn before reaching out. An empty page, or no page, makes you look smaller and less established than you actually are.
  • A contact form people can actually find
    A visible 'get in touch' form is the easiest way to turn a curious visitor into a lead. If finding one takes more than a few seconds, most people just close the tab.
  • Your listing on Google Maps and search
    When someone Googles your business name, this is the panel that shows your address, hours, photos, phone, and reviews. Without one, a customer ready to walk in the door may end up at a competitor.
  • Your reviews on Yelp
    Plenty of customers still check Yelp before booking, especially for restaurants, salons, and home services. No listing — or worse, a listing with two angry reviews and no replies — sends them to the next result.
  • Your listing on Bing and Microsoft Maps
    Bing powers search for millions of Windows users, ChatGPT search, and DuckDuckGo. Without a listing, you're invisible to all of them — and increasingly to AI tools that pull from Bing.
  • Your listing on Apple Maps
    Every iPhone user who asks Siri for directions or searches Apple Maps is using this. If you're not listed, customers driving toward you literally can't find you.
  • Your site can be saved to a phone's home screen
    When this is set up, customers who use your site often can pin it to their home screen like an app — which keeps you a tap away instead of buried in a search. It's a small file, but a missing one signals an older build.
  • Your site can work for a moment offline
    Modern sites can show a useful page even when a customer's phone briefly loses signal — like in an elevator or a bad reception area. Without it, they get a blank error and assume your site is broken.
  • Whether your site is set up to take payments online
    If you sell anything, customers expect to pay on the site without a phone call or invoice email. Missing checkout means lost sales the moment they hesitate.

Does it respect visitor privacy?

fail78
1 of 4 failing — expand to see which.
3 pass · 1 fail · 2 n/a
  • What your site actually drops on visitors' phones
    Tools like Facebook Pixel and Google Ads quietly set tracking cookies the moment someone lands — often before they've agreed to anything. Under European and California law, that gap between landing and consent is what triggers fines.
  • How many outside companies you let watch your visitors
    Every analytics, ad, and chat tool you've added quietly shares your visitors' behavior with another company — and you're legally on the hook for what they do with it. Most small-business sites are running twice as many as the owner realizes.
  • You have a privacy policy page
    Every state and country with a privacy law requires one, and Google, Apple, and Meta all refuse to run ads from sites without it. Missing this is the fastest way to get an ad account suspended or a lawyer's letter.
  • You have a terms of service page
    Without one, you have no written agreement with the people using your site — which makes refund disputes, chargebacks, and copied content much harder to fight. A basic version takes an afternoon and protects you for years.
  • Cookie consent banner for European visitors
    If anyone from the European Union or California can land on your site, the privacy laws there (GDPR and CCPA) require a banner that lets visitors say no to tracking. Fines start at thousands of dollars and the regulators don't warn you first.
  • California privacy opt-out link
    California law requires a clearly labeled "Do Not Sell or Share My Personal Information" link in your footer if you have visitors from California and use ad or analytics tools. The state Attorney General has been actively fining small businesses for missing it.

Can everyone use it?

fail65
2 of 4 failing — expand to see which.
2 pass · 2 fail · 3 n/a
  • Your headings are in a sensible order
    Screen readers let blind visitors jump heading-to-heading the way you skim with your eyes — but only if the headings are nested in order. Out-of-order headings also confuse Google about what your page is actually about.
  • A way to skip past the menu
    Visitors who navigate by keyboard instead of mouse — usually because of a motor or vision impairment — otherwise have to tab through every nav link on every page just to reach your content. It's a small link at the top, and it's checked in nearly every accessibility audit.
  • Your photos have written descriptions
    Blind visitors use software that reads pages out loud, and it can only describe a photo if you've written a short caption behind it. Missing alt text is the single most common item cited in accessibility lawsuits — and Google uses the same text to understand your images.
  • Your buttons and forms are labeled for screen readers
    When a button is just an icon — a magnifying glass, a hamburger menu, a shopping cart — a blind visitor's screen reader has nothing to announce unless someone added a hidden label. Without these, your contact form and checkout are unusable for them, and that's the kind of thing that ends up in a demand letter.
  • You have an accessibility statement
    Posting one signals to the courts and to disabled visitors that you're taking accessibility seriously, and it's the first thing a plaintiff's lawyer looks for when deciding whom to sue. Roughly 4,000 small businesses got accessibility lawsuits last year.
  • Your site works for visitors with disabilities
    About one in four American adults has a disability the courts recognize, and your site is legally required to work for them under the Americans with Disabilities Act (ADA). Lawsuits over this hit small businesses every week, and most settle for $5,000 to $20,000.
  • Text is dark enough to read
    Pale-gray text on white is the single most-cited problem in accessibility lawsuits. It also loses customers over 50, who already squint at their phones.

Will email from this domain actually arrive?

warn94
1 of 10 need attention — expand to see which.
9 pass · 1 warn · 3 n/a
  • A clickable email link on your site
    On a phone, tapping an email address should open the mail app with everything pre-filled. When it's just text someone has to copy and paste, half of them give up.
  • What's actually running your email
    We can usually tell whether your email is on Google Workspace, Microsoft 365, your web host, or something custom. The platform behind your email shapes how reliable it is, how well it filters spam, and how easy it is for a new employee to get an inbox.
  • Stops scammers from emailing customers as you
    Without this, anyone can send phishing email pretending to be from your business — and your customers may receive it as if it really came from you. The fix is a few DNS records your email provider can usually add in under an hour.
  • Lists who's allowed to email as your business
    This tells the rest of the internet which mail services — your provider, your booking system, your CRM — are actually permitted to send email from your domain. Without it, your real messages look as suspicious as a stranger's, and your invoices and confirmations start hitting spam.
  • Shows your logo next to your emails
    When this is set up, Gmail and Apple Mail can display your verified logo in the inbox next to messages from your business — which both looks more professional and helps customers spot real email from you versus impersonators.
  • You email from your own domain, not Gmail
    Customers trust hello@yourbusiness.com a lot more than yourbusiness@gmail.com — the free address makes a real company look like a side hustle, and it's one of the fastest ways to lose a lead before they even reply.
  • You get reports when someone fakes your email
    When this is on, mail providers send you a daily summary of who tried to send email pretending to be your business — so you can spot impersonation attempts before customers do. Without it, scammers can spoof you for months and you'd never know.
  • A real tool for sending receipts and confirmations
    Order confirmations, password resets, and appointment reminders need to land in the inbox every single time. Sending them through a dedicated service — instead of straight from your website — is the difference between customers getting their receipt and them calling you confused.
  • Your email setup is under a hidden limit
    There's a behind-the-scenes ceiling on how many email tools can be authorized to send as your business at once. When you add too many — newsletter, booking, invoicing, helpdesk — you quietly cross the line and all of them start landing in spam.
  • Your email is being forwarded, not hosted
    Instead of having a real inbox at your domain, mail to your address is being bounced over to a personal Gmail or Yahoo account. It works, but it's fragile — replies often look broken to customers, and the setup tends to fall apart as your business grows.
  • Proves your email actually came from you
    When your email arrives, this is the invisible signature that tells Gmail and Outlook it really came from your business and wasn't tampered with along the way. Without it, your messages are more likely to land in spam or get blocked.
  • Keeps your email private in transit
    These settings tell other mail servers they must use encryption when delivering email to you, so an attacker on the network can't read or quietly redirect it. Most small businesses don't have this turned on yet, and the bigger your domain gets, the more it matters.
  • A real tool for sending newsletters
    If your business sends marketing email, doing it through a service like Mailchimp or Klaviyo (instead of from your personal inbox) is what keeps you out of spam folders and out of legal trouble with unsubscribe rules.

Technical breakdown · deeper data behind the verdict

Categories

8 categories · worst grade F
CategoryGradeScoreApplicable
AI-readinessF 301/4
AccessibilityD 654/7
SEOD 677/11
PerformanceC 777/12
PrivacyC 784/6
Brand presenceA 9110/21
SecurityA 954/21
Email healthA 9512/16

Standards compliance

19 satisfied · 10 partial · 5 failed · 66 n/a
StandardCategoryVerdictWhy it matters
Cookie consentPrivacyfailedEuropean DPAs have ramped up enforcement against dark-pattern banners and silent tracking. Even outside the EU, a clean consent layer is becoming the baseline trust expectation.
WebP / AVIFPerformancefailedImages are typically 50–70% of homepage weight. Cutting that in half with format conversion alone moves LCP, mobile data costs, and bounce rate measurably. Most CDNs (Cloudflare Polish, Fastly Imag…
Schema.orgSEOfailedSchema is the single highest-leverage SEO change for AI search era. ChatGPT, Perplexity, Gemini, and Google Knowledge Graph all parse it. No schema = no rich snippets and weak AI citation.
BreadcrumbsSEOfailedWhen Google shows breadcrumbs instead of the raw URL, mobile click-through measurably lifts. Breadcrumb schema is one of a shrinking set of rich-result types still supported (FAQ and HowTo lost the…
C2PAAI-readinessfailedProvenance is the new credibility signal in an AI-generated content world. Major newsrooms (BBC, NYT) and platforms (LinkedIn, TikTok via experiments) verify C2PA manifests; OpenAI signs DALL·E and…
WCAG AAAccessibilitypartialWCAG AA is the conformance target referenced by the ADA, EAA, Section 508, and most procurement contracts. Falling short isn't just a UX problem — it's the standard plaintiffs' lawyers cite in acce…
WCAG AAccessibilitypartialLevel A is table-stakes; nobody designs *to* Level A as a goal, but failing it is a sign of deeper problems. Use it as an early-warning signal on the way to AA.
WCAG 2.1 AAAccessibilitypartialIf your obligation flows from EAA, UK PSBAR, RGAA, or BITV 2.0, the legal text says "2.1 AA" — meeting 2.2 AA satisfies it (2.2 is a strict superset), but you can't claim conformance to a regulatio…

View all 100 standards →

Site profile + facts

Corporate / B2B · 12 attributes detected · 12 n/a by applicability

Classification driving applicability · deep detection

Site type
Corporate / B2Bconfidence 20%
Vertical
Other
Jurisdiction
Canada
Detected stack
framework: astro · hosting: cloudflare-pages · cdn: cloudflare

Site facts

Hosting
Cloudflare, Inc.
Managed host
Cloudflare (host hidden)
CDN / WAF
Cloudflare / Cloudflare
DNS provider
Cloudflare
Platform
Email provider
custom-or-self-hosted
Spam protection
Mail forwarder
Marketing ESP
mailchimp-mandrill
DMARC policy
reject
Hosting country
Canada
Registrar
Cloudflare, Inc.

12 factors marked n/a by applicability rules — see the factors table for per-factor reasons.

All factors

44 scored · 33 pass · 1 warn · 10 fail · 21 n/a of 65 applicable
#FactorCategoryVerdictScoreEvidence
32Image optimization (WebP/AVIF)Performancefail30total=76, modern=0, pct=0
35Lazy loading on below-fold imagesPerformancefail30total=76, below_fold=71, lazy=1
12Schema.org structured data presenceSEOfail30node_count=0, has_h1=true
39Schema.org type validity (parsed JSON-LD)SEOfail30total=0, valid=0
40Breadcrumb schemaSEOfail30present=false
45JSON-LD richness score for LLMsAI-readinessfail30org_complete=false, has_address=false, has_contact_point=false, has_same_as=false, has_content_type=false, breakdown={"coreOrg":0,"contact":0,"sameAs":0,"contentType":0}
51Cookie scan — actual cookies set on first loadPrivacyfail30count=7, names=cf_willow_version_key|_cfms_willow|_ga|cfz_google-analytics_v4|cfz_adobe|kndctr_8AD56F28618A50850A495FB6_AdobeOrg_identity|__cf_bm, with_cmp=false
55Heading hierarchy validityAccessibilityfail30headings=1|6|6|2|3|2|2|6|3|6|3|6|2|2|4|4|4|3|3|3|2|6|6|6|6|6|6|2|5|5|5|5|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|6|2|5|5|5, h1_count=1, skips=8
58Skip-to-content linkAccessibilityfail30found=false
60Trustpilot presence + ratingBrand presencefail30no_link_on_site
84Mailto: direct contact link presentEmail healthwarn60has_alternative_channel=true
27TLS minimum version supported?Securitypass80method=heuristic, https=true, final_url=https://www.cloudflare.com/, hsts=true
37Total homepage byte weightPerformancepass80html_bytes=982344, subresource_bytes=0, total_bytes=982344, total_kb=959, sampled=16, total_refs=16
11Title, meta description, OG, Twitter cards, canonicalSEOpass80title=true, description=true, og=true, twitter=false, canonical=true
49Third-party tracker countPrivacypass80count=1, hosts=static.cloudflareinsights.com
76Email provider class (Workspace / 365 / Zoho / self-hosted / shared)Email healthpass80provider=cloudflare_area_1, mx=mxa-canary.global.inbound.cf-emailsecurity.net|mxb-canary.global.inbound.cf-emailsecurity.net|mxa.global.inbound.cf-emailsecurity.net|mxb.global.inbound.cf-emailsecurity.net, source=mx_classifier
18Wayback Machine site age & last snapshotBrand presencepass88first_snapshot=2009-09-01T03:58:18Z, last_snapshot=2009-09-01T03:58:18Z, estimated_age_years=16.7, first_years_ago=16.657214004011713, last_days_ago=6084.047414965278
20News mentions in last 30 daysBrand presencepass90news_mentions_count=20
5SSL certificate validity & expiration windowSecuritypass100ssl_days_remaining=364.9995883912037, not_after=2027-04-28T07:45:19.000Z, source=url_scanner
7Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)Securitypass100total_checked=6
28Subdomain takeover surfaceSecuritypass100dangling_count=0
9HTTP/2 supportPerformancepass100perf_http2=true
10Compression (Brotli / gzip)Performancepass100perf_compression=br
30HTTP/3 supportPerformancepass100source=https_rr, supports_h3=true
31IPv6 supportPerformancepass100apex_aaaa_count=2, apex_aaaa=2606:4700::6810:85e5|2606:4700::6810:84e5, www_aaaa_count=0, source=apex
13H1 tag presenceSEOpass100h1_count=1, h1_text=Connect, protect, and build everywhere, source=ctx_html_parse
42hreflang for multi-language sitesSEOpass100html_lang=en, languages_seen=en, alternates=25, alternate_langs=en|de|es|fr|id|it|nl|ja|ko|th|tr|pl|pt|sv|vi|ru|zh|ar|he
43Internal link depth (clicks from homepage to deepest content)SEOpass100max_depth=1, pages_fetched=50, pages_seen=249, capped_at=50
47Privacy policy page presencePrivacypass100found=true, href=/trust-hub/trust-and-safety/, text=Trust, privacy, and complianceCompliance information and policies, source=homepage_link
48Terms of service page presencePrivacypass100found=true, href=https://www.cloudflare.com/terms/, text=view, source=homepage_link
54Image alt text coverageAccessibilitypass100total=76, with_alt=76, missing=0, pct=100
57ARIA labels presence and validityAccessibilitypass100aria_attr_count=167, role_count=329, errors=0
17Domain age (RDAP / WHOIS)Brand presencepass100domain_age_years=17.2
21Wikipedia entityBrand presencepass100found=true, title=Cloudflare, url=https://en.wikipedia.org/wiki/Cloudflare
62LinkedIn Company Page (presence + employee count + follower count)Brand presencepass100url=https://www.linkedin.com/company/cloudflare
83Visible contact form on siteBrand presencepass100detected=true, source=form, count=1
1DMARC enforcementEmail healthpass100present=true, policy=reject
3SPF record present and validEmail healthpass100present=true, raw="v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all", qualifier=hardfail
25BIMI + VMCEmail healthpass100record=v=BIMI1; l=https://www.cloudflare.com/cloudflare_1171114652.svg; a=https://www.cloudflare.com/cloudflare_1171114652.pem, logo_url=https://www.cloudflare.com/cloudflare_1171114652.svg, vmc_url=https://www.cloudflare.com/cloudflare_1171114652.p…
75Branded domain email address (vs free Gmail/Yahoo)Email healthpass100branded=true, provider=generic
77DMARC aggregate reporting enabled (rua=)Email healthpass100has_dmarc_reporting=true, audit_flag=true, derived_from_raw=true, source=derived_from_raw, dmarc_raw="v=DMARC1; p=reject; pct=100; rua=mailto:rua@cloudflare.com,mailto:cloudflare@dmarc.area1reports.com; ruf=mailto:cloudflare@dmarc.area1reports.com"
81Transactional email provider detected (from SPF includes)Email healthpass100providers=Mandrill|Zendesk|Salesforce
82SPF lookup count (10-limit deliverability check)Email healthpass100lookups=7, limit=10
85Email forwarding service detected (improvmx, forwardemail, etc.)Email healthpass100hosts=mxa-canary.global.inbound.cf-emailsecurity.net|mxb-canary.global.inbound.cf-emailsecurity.net|mxa.global.inbound.cf-emailsecurity.net|mxb.global.inbound.cf-emailsecurity.net, kind=unknown
4Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options)Securityn/an/a:This platform doesn't allow site owners to set custom HTTP response headers, so security-headers grading isn't fair
6WordPress REST API user enumeration exposureSecurityn/an/a:not_wordpress
22DNSSEC validationSecurityn/an/a:This platform doesn't let site owners edit DNS records, so DNSSEC can't be enabled
23CAA recordsSecurityn/an/a:This platform doesn't let site owners edit DNS records, so CAA can't be set
26HSTS preload list inclusionSecurityn/an/a:HSTS preload requires header control + a passing security-headers result; one or both is missing here
29Spam / phishing blocklist presenceSecurityn/anot measured — dbl_query_refused
8Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS)Performancen/anot measured — audit_field_missing
33Desktop PageSpeed scorePerformancen/afetch failed — psi_non_2xx
34Core Web Vitals from CrUX (Real User Monitoring)Performancen/afetch failed — psi_non_2xx
36Font loading strategy (FOUT/FOIT/swap)Performancen/an/a:no_font_face
14Sitemap.xml + robots.txt presenceSEOn/an/a:This platform manages robots.txt centrally and doesn't let site owners customize it
41FAQ / HowTo schema (where applicable)SEOn/an/a:not_applicable
15llms.txt presenceAI-readinessn/an/a:This platform doesn't let site owners publish arbitrary root-path files like /llms.txt
16AI crawler robots.txt directivesAI-readinessn/an/a:AI crawler directives live inside robots.txt, which this platform doesn't let site owners edit
46Cookie banner presence + CMP detectionPrivacyn/an/a:Cookie consent banners are graded for sites serving EU / UK / California users (GDPR, ePrivacy, CPRA). Other sites get n/a.
50CCPA "Do Not Sell or Share My Personal Information" linkPrivacyn/an/a:CCPA "Do Not Sell or Share" is a California requirement; non-US sites follow GDPR / local equivalents
53axe-core / WAVE accessibility scanAccessibilityn/anot measured — axe_requires_browser_rendering
56Color contrast (WCAG AA)Accessibilityn/anot measured — requires_browser_rendering
2DKIM signingEmail healthn/an/a:DKIM is only graded for sites that send mail (branded domain email present)
24MTA-STS & TLS-RPTEmail healthn/an/a:MTA-STS and TLS-RPT require DNS TXT records the site owner can't publish on this platform
80Email Service Provider (ESP) detectedEmail healthn/an/a:ESP detection requires a newsletter signup to be present

11 additional factors planned, scorer not yet implemented — see methodology for the full roadmap.

writes a fresh score to the registry

Scores computed under method v1.2.0. See the methodology for the full factor list and per-factor specifications.