CrawlProof
Download fix prompt

AEO Audit for go.getpicks.app

Target: https://www.go.getpicks.app/
Score: 32 / 100
Generated: 2026-05-21T07:29:52.130Z
Pages crawled: 1
Findings: 1 pass · 44 warn · 4 fail · 0 unknown

1. Crawl Summary

2. Data Found

Data PointFound?SourceNotes
PricingNo
Customer logosNo
Social proofNo
Recent launchesNo
Blog post activityNo
New hiresNoOften only on a /blog/team or LinkedIn page
Headline copyNo
PositioningNo
Executive teamNo
Product/service descriptionsNo
Case studies or testimonialsNo
Contact/demo/signup pathsNo

3. Homepage Audit

  • Homepage could not be fetched fetch failed

4. Content Quality

No findings.

5. Schema / Structured Data Audit

No findings.

6. Links & Images

No findings.

7. Performance

No findings.

8. Security

  • ⚠️ HSTS missing Add Strict-Transport-Security: max-age=31536000; includeSubDomains once you're confident in https.
  • ⚠️ Content-Security-Policy missing Define a CSP to limit script sources — large reduction in XSS surface.
  • ⚠️ X-Frame-Options missing Add X-Frame-Options: SAMEORIGIN (or use CSP frame-ancestors) to prevent clickjacking.
  • ⚠️ X-Content-Type-Options missing Add X-Content-Type-Options: nosniff to block MIME-type sniffing.
  • ⚠️ Referrer-Policy missing Add Referrer-Policy: strict-origin-when-cross-origin for safer referrers.
  • ⚠️ Permissions-Policy missing Restrict browser features (camera, mic, geolocation) you don't use.
  • Served over HTTPS

9. robots.txt and sitemap.xml Audit

  • sitemap.xml not found Add /sitemap.xml — required for reliable AI/SERP discovery.
  • ⚠️ robots.txt not found No /robots.txt was reachable. Add one explicitly — silence is read differently by different crawlers, and you lose the chance to control AI bots.

10. LLM / AI Crawler Accessibility

  • ⚠️ llms.txt missing Add /llms.txt — a concise, link-rich summary that helps LLMs orient on your site.
  • ⚠️ skill.md missing Add /skill.md describing what your site lets agents do — speeds up agent task routing.
  • ⚠️ /.well-known/security.txt missing Publish a /.well-known/security.txt with at least a Contact: line. Crawlers and security researchers expect it; AI systems use it as a trust signal.

11. Positioning Clarity

No findings.

12. Missing or Hard-to-Find Information

  • 12 data point(s) could not be found from public pages · Pricing · Customer logos · Social proof · Recent launches · Blog post activity · New hires · Headline copy · Positioning · Executive team · Product/service descriptions · Case studies or testimonials · Contact/demo/signup paths

  • ⚠️ Publish a sitemap.xml Generate /sitemap.xml automatically (Next.js: app/sitemap.ts). Include every canonical URL.

  • ⚠️ Add /llms.txt A short Markdown-flavored summary at the root. Include your H1, value prop, top 5–10 links, and pricing summary.

  • ⚠️ Create a robots.txt Even a minimal robots.txt is better than none. Always reference your Sitemap and explicitly address AI bots.

  • ⚠️ Add /skill.md Describe what an agent can do with your site (e.g., 'Search docs', 'Look up pricing'). Useful for agentic flows.

  • ⚠️ Publish /.well-known/security.txt A security contact builds trust with crawlers and researchers. Minimal example:

    Contact: mailto:security@yourdomain.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en

  • ⚠️ Enable HSTS Add Strict-Transport-Security: max-age=31536000; includeSubDomains once you're confident every subdomain is https-ready.

  • ⚠️ Define a Content-Security-Policy Start with Content-Security-Policy-Report-Only to learn safe sources, then enforce. Cuts XSS blast radius.

  • ⚠️ Add X-Frame-Options X-Frame-Options: SAMEORIGIN (or CSP frame-ancestors) blocks clickjacking via iframe embeds.

  • ⚠️ Add X-Content-Type-Options X-Content-Type-Options: nosniff prevents browsers from MIME-sniffing responses.

  • ⚠️ Set a Referrer-Policy Referrer-Policy: strict-origin-when-cross-origin is a safe default.

  • ⚠️ Set a Permissions-Policy Restrict browser features you don't use, e.g. Permissions-Policy: camera=(), microphone=(), geolocation=().

14. Priority To-Do List

  • P1 — Publish a sitemap.xml Generate /sitemap.xml automatically (Next.js: app/sitemap.ts). Include every canonical URL.

  • P2 — Add /llms.txt A short Markdown-flavored summary at the root. Include your H1, value prop, top 5–10 links, and pricing summary.

  • P2 — Create a robots.txt Even a minimal robots.txt is better than none. Always reference your Sitemap and explicitly address AI bots.

  • P3 — Add /skill.md Describe what an agent can do with your site (e.g., 'Search docs', 'Look up pricing'). Useful for agentic flows.

  • P3 — Publish /.well-known/security.txt A security contact builds trust with crawlers and researchers. Minimal example:

    ```
Contact: mailto:security@yourdomain.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
```

  • P3 — Enable HSTS Add Strict-Transport-Security: max-age=31536000; includeSubDomains once you're confident every subdomain is https-ready.

  • P3 — Define a Content-Security-Policy Start with Content-Security-Policy-Report-Only to learn safe sources, then enforce. Cuts XSS blast radius.

  • P4 — Add X-Frame-Options X-Frame-Options: SAMEORIGIN (or CSP frame-ancestors) blocks clickjacking via iframe embeds.

  • P4 — Add X-Content-Type-Options X-Content-Type-Options: nosniff prevents browsers from MIME-sniffing responses.

  • P4 — Set a Referrer-Policy Referrer-Policy: strict-origin-when-cross-origin is a safe default.

  • P4 — Set a Permissions-Policy Restrict browser features you don't use, e.g. Permissions-Policy: camera=(), microphone=(), geolocation=().

Report by CrawlProof. Reusable after every major website change.