Site responds
- Reference
- functional:site-responds
- Pass criteria
- Strict — passes only on pass.
- Why
- Final HTTP status is 200..399. A parked, for-sale, 503'd, or NXDOMAIN site has no quality to grade.
/ / methodology / web-standards
Web Standards · the table-stakes layer
19 items · 5 pillars · 17 scored · 2 preconditions · strict v1
Web Standards is the table-stakes layer of WQI's scoring model. Every site on the modern web should meet these — they aren't ambitious, they're the minimum. Items are scored as binary pass/fail, organised into five pillars: Functional preconditions, Security, Legal, Accessibility, and Identity.
Strict v1: any applicable item that fails causes Web Standards as a whole to fail, and the Web Quality score is withheld. Items marked precondition are kill-switches — failing one means the site is unreachable, on a blocklist, or pretending to be a different host, and we don't show a score at all.
Web Standards items can be gated by site type or jurisdiction. A personal one-pager has no Legal pillar; a non-EU site doesn't owe cookie consent under GDPR. When an item is gated out, it counts as n/a — not a pass, not a fail.
Pillars at a glance
| Pillar | Items | Scope |
|---|---|---|
| Functional | 4 | Preconditions for being scored at all — the site responds, isn't on a phishing blocklist, and isn't a parked / for-sale page. |
| Security | 5 | The minimum security baseline every site on the modern web should meet — valid TLS, baseline email auth, no exposed admin surfaces. |
| Legal | 4 | The legal disclosures the site is required to publish for the visitors it serves, based on jurisdiction and what data it collects. |
| Accessibility | 3 | The minimum WCAG-aligned accommodations every site owes the humans who land on it — readable contrast, alt text, navigable structure. |
| Identity | 3 | Whether the site is honest about who runs it and how a visitor can reach a real human. |
Functional
4 items · pillar id functional
Preconditions for being scored at all — the site responds, isn't on a phishing blocklist, and isn't a parked / for-sale page.
- Reference
- WEBQ-29
- Pass criteria
- Strict — passes only on pass.
- Why
- Listed by Google Safe Browsing or a major spam DBL means visitors are being warned away by their browser. Currently scored, but not a kill-switch — connector reliability under review.
No deceptive redirect
- Reference
- identity:no-deceptive-redirect
- Pass criteria
- Strict — passes only on pass.
- Why
- Final URL host matches the requested host (modulo www / protocol). A request for nytimes.com that lands on sketchy-clone.tk is being scored as the wrong site.
No critical mixed content
- Reference
- functional:no-mixed-content
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- HTTP assets on an HTTPS page leak referrer, break in modern browsers, and put the lock icon in question. Soft precondition — warn allowed for legacy embeds.
Security
5 items · pillar id security
The minimum security baseline every site on the modern web should meet — valid TLS, baseline email auth, no exposed admin surfaces.
- Reference
- WEBQ-5
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- Every modern browser will block or warn on an invalid certificate. An expired or self-signed cert breaks the site for ordinary visitors.
- Reference
- WEBQ-7
- Pass criteria
- Strict — passes only on pass.
- Why
- /.git, /.env, exposed /admin, or readable wp-config.php means credentials and source code are leaking. This is a vulnerability, not a polish issue.
- Reference
- WEBQ-1
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- Any DMARC policy (even p=none) shows the operator has thought about email spoofing. The bar cares about presence, not enforcement.
- Reference
- WEBQ-3
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- Without SPF, anyone can spoof mail from this domain. Required for any site whose domain is also used for email.
- Reference
- WEBQ-6
- Pass criteria
- Strict — passes only on pass.
- Why
- When WordPress, the REST API leaking usernames hands attackers half of every credential pair. Strict pass — n/a on non-WP.
Legal
4 items · pillar id legal
The legal disclosures the site is required to publish for the visitors it serves, based on jurisdiction and what data it collects.
- Reference
- WEBQ-47
- Pass criteria
- Tolerant — passes on pass or warn.
- Applies when
-
- excluded for site types: Personal site
- Why
- Any site collecting visitor data — analytics, cookies, forms — is required to disclose it. Personal one-pagers are exempt.
- Reference
- WEBQ-48
- Pass criteria
- Tolerant — passes on pass or warn.
- Applies when
-
- excluded for site types: Personal site, Blog
- Why
- Commercial sites need ToS to define the relationship with visitors. Read-only blogs and personal sites don't.
- Reference
- WEBQ-46
- Pass criteria
- Tolerant — passes on pass or warn.
- Applies when
-
- excluded for site types: Personal site
- only in jurisdictions: European Union, United Kingdom
- Why
- GDPR and the UK GDPR require a CMP for any site setting non-essential cookies. Hard requirement in those jurisdictions.
- Reference
- WEBQ-50
- Pass criteria
- Tolerant — passes on pass or warn.
- Applies when
-
- excluded for site types: Personal site, Blog
- only in jurisdictions: United States
- Why
- California requires a 'Do Not Sell or Share' link on commercial sites that handle CA-resident data.
Accessibility
3 items · pillar id accessibility
The minimum WCAG-aligned accommodations every site owes the humans who land on it — readable contrast, alt text, navigable structure.
- Reference
- WEBQ-54
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- Screen-reader users can't navigate a site whose meaningful images have no alt text. Bar passes on ≥80% coverage.
- Reference
- WEBQ-56
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- Body text below WCAG AA contrast is unreadable to a meaningful slice of visitors. Bar passes on no critical violations.
- Reference
- WEBQ-55
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- Headings are how assistive tech navigates the page. A page with no H1 or with H1→H4→H2 leapfrog isn't navigable.
Identity
3 items · pillar id identity
Whether the site is honest about who runs it and how a visitor can reach a real human.
Operator is identifiable
- Reference
- identity:operator-identified
- Pass criteria
- Tolerant — passes on pass or warn.
- Why
- An About page, an org name in the footer, or imprint metadata. Anonymous sites can't be held accountable, and that's the opposite of a positive contributor.
At least one contact channel
- Reference
- identity:contact-channel
- Pass criteria
- Strict — passes only on pass.
- Why
- A mailto:, a contact form, or a visible support address. Synthesised from factors 83 and 84 — passes if either contact form OR mailto: is detected.
- Reference
- WEBQ-75
- Pass criteria
- Tolerant — passes on pass or warn.
- Applies when
-
- excluded for site types: Personal site
- Why
- Commercial sites listing 'gmail.com' as the contact address signal that the operator hasn't bothered to set up basic infrastructure — and visitors can't verify the email actually represents the site.
Related
- Methodology overview — the two-tier model and the full 91-factor list.
- Web Quality — the weighted 0..100 score over factors above Web Standards.