Seoxpert.io
Get started

Coverage

Everything we check on your site

20 specialised scanners, 442 checks — across SEO, content quality, security, performance, mobile readiness, AI / GEO citability, content gaps, EU privacy (Schrems II + AI Act §50 + EAA (European Accessibility Act)), and trust. Every finding ties back to traffic, conversions, regulatory risk, or revenue. Here's the full list.

20 categories442 specific checksruns in under 2 minutes

SEO & Content

SEO & Content scanner
Title tags
Missing, duplicate (dedup-by-pathname so query-strings don't false-positive), too long or too short
Meta descriptions
Missing, duplicate, length out of range
H1 structure
Missing, multiple H1s per page, duplicate primary H1 across pages
Soft-404 detection
Pages returning 200 OK with "Not Found" / "404" / localised equivalents in title or H1
Internal linking
Orphan pages, deep pages, broken anchors, excessive internal links per page (>250 = link equity dilution)
Schema markup
JSON-LD presence, field-level validation, parse errors, @graph traversal
Author schema
Person / Author entity in Article JSON-LD — required for AI citation attribution
Duplicate content
Near-duplicate clusters with per-language stopwording (no false-positive cannibalisation on multilingual sites)
Canonicals
Self-referencing, conflicts, non-200 targets, cross-origin mismatch (HTTP→HTTPS, www↔apex), tracking-params in canonical
Thin content
Low word count + utility-page guardrail (skips /contact, /cart, /checkout, /404, /legal/*) + CJK/Thai language-aware char-count
Indexability
noindex + in-sitemap + inbound-internal-links stack signal (high-confidence "you didn't mean this")
Open Graph
OG tags, Twitter Cards, og:image absolute-URL check (relative breaks Facebook/LinkedIn previews), og:url vs canonical mismatch
Hreflang
Self-reference (every page in cluster must list itself), x-default presence, locale validation (BCP47)
Robots / X-Robots-Tag
Full directive-set comparison (index/follow/noarchive/nosnippet/unavailable_after) — flags conflicts, not just presence
Anchor text
Generic anchors split into 3 classes (click-here / URL-as-anchor / image-only-no-alt), inconsistent wording, nofollow sinks
URL structure
P90 outlier length (not 120-char folklore), session-IDs, tracking-params, file-ext-with-trailing-slash, non-ASCII path
Viewport & mobile
Missing viewport meta, viewport-blocks-pinch-zoom (WCAG (Web Content Accessibility Guidelines) 1.4.4)
HTML language
Missing or empty lang attribute sitewide
Charset encoding
Missing charset declaration — garbled content risk
Content readability
Multi-language LLM judgment when configured; English-only Flesch-Kincaid as fallback

Security & Performance

Security & Performance scanner
HTTPS posture
HTTP-only sites, mixed content split into ACTIVE (browsers block — high) vs PASSIVE (browsers warn — medium)
Security headers
CSP (Content Security Policy) with directive-level analysis, HSTS, X-Frame-Options, X-Content-Type, Referrer-Policy with value validation (flags unsafe-url / no-referrer-when-downgrade)
Weak CSP directives
unsafe-inline / unsafe-eval / wildcard script-src; missing frame-ancestors / base-uri (clickjacking + base-tag injection mitigation)
CORS misconfiguration
CORS (Cross-Origin Resource Sharing) — Access-Control-Allow-Origin: * with Credentials: true (the wildcard-with-credentials anti-pattern)
Cookie flags
Session-cookie Secure / HttpOnly / SameSite gate (with allowlist for analytics + CSRF cookies that legitimately must be JS-readable)
Response times
CDN-cache-aware: separates slow ORIGIN response (cache MISS — fix backend) from slow CACHED response (edge POP issue)
Render-blocking
Scripts and stylesheets in <head> without defer or async
Layout shift (CLS)
Images without width/height — Core Web Vitals risk
Cache headers
HTML over-cached (max-age ≥ 1 day breaks deploys), missing Cache-Control on cacheable pages, weak Cache-Control on fingerprinted assets
Crawlability
4xx errors, redirect chains, redirect loops, soft-404 from redirect-to-homepage, robots.txt-blocks-CSS/JS-render (Google explicitly forbids)
SSL certificate
Expiry tracking — expired, <14d, <30d, <60d warnings
Sensitive paths
Admin, .env, .git, staging URLs returning 200
Lazy loading
Image-heavy pages not using loading="lazy"
Payload size
Heavy HTML payloads (>200KB), script pressure
HTTP compression
Missing gzip/Brotli — detected via response headers
Server disclosure
Version strings in Server / X-Powered-By headers
Permissions-Policy
Missing browser API restrictions
Image quality
Modern format adoption ratio (WebP/AVIF vs JPEG/PNG/GIF), missing alt text, missing favicon variants
Subresource Integrity
HTTP cross-origin scripts without SRI = active MITM risk (high); HTTPS without SRI = supply-chain exposure (medium)
Resource liveness
Broken images / scripts / stylesheets / favicons / manifests / preload hints / canonical-redirect-off-origin / OG image content-type

Trust, content quality & conversion

E-E-A-T signals
Author bylines (meta + rel + JSON-LD + microdata), credentials, content freshness, YMYL-aware severity
AI-likely content
Templated phrasing patterns + literal "as an AI language model" leak detection (high-confidence boilerplate)
DOM accessibility
19 Tier-1 a11y checks: missing <main>, multiple <main>, broken aria refs, deprecated HTML (AMP-aware), nested interactive elements, etc.
Business / CRO
Pricing visibility, demo-vs-self-serve funnel disambiguation, customer logos, case studies, founding year, live-chat presence

EU privacy & AI Act compliance

Regulators are actively fining for these

GDPR + Schrems II (CJEU C-311/18) + ePrivacy Art. 5(3) + the EU AI Act + the EAA (European Accessibility Act, in force 2025-06-28) form a stacked regulatory layer that's become the #1 source of compliance findings in supervisory-authority audits. Missing one of these is the typical first finding in a regulator inquiry.

Google Fonts CDN before consent

LG München I 3 O 17493/20 (Jan 2022) — €100/visitor mass-claim risk

reCAPTCHA before consent

Schrems II + Italian Garante 2023 ruling — replace with Cloudflare Turnstile / hCaptcha

Meta Pixel before consent

CNIL fined Meta €60M in 2022; ePrivacy Art. 5(3)

Session recorders before consent

Hotjar / Microsoft Clarity / FullStory / Mouseflow — EDPB Guidelines (European Data Protection Board) 03/2022

Google Maps + YouTube embeds

Schrems II — flags non-nocookie YouTube; suggests click-to-load Maps

AI Act §50 GenAI labelling

In force August 2026 — flags missing AI-content disclosure

German DDG §5 imprint

Critical severity for .de / .at / .ch sites; €50K+ abmahnung exposure

VAT ID on commerce imprint

TMG §5(1) Nr. 6 — most common abmahnung trigger

EU Accessibility Act statement

Directive (EU) 2019/882, in force 2025-06-28; required for consumer services

Returns / withdrawal policy

Consumer Rights Directive 2011/83 Art. 6 — missing extends withdrawal window to 12 months

CCPA "Do Not Sell" link

Cal. Civ. Code §1798.105 — required when ad-tech is detected

Privacy policy quality (LLM)

Word-count gated, language-agnostic; flags Schrems II + AI Act disclosure gaps

Cookie banner detection (DOM-fallback)

Catches self-hosted vanilla-cookieconsent, Borlabs, Klaro, custom React banners

19-language URL coverage

EN / DE / DA / SV / NO / FI / NL / FR / ES / IT / PT / PL / RO / CZ / HU / SK / EL / TR / RU

Not legal advice. These findings are automated signals, not legal opinions — consult qualified privacy / compliance counsel before acting.

20 specialised scanners run on every scan in a single coordinated pass — no per-scan-type configuration.

Or run a single check, no signup

Free tools that run individual scanner checks on a URL you paste — same logic as the full audit, scoped to one signal.

Open Graph preview
See how Twitter / LinkedIn / Facebook render your link card.
Schema.org / JSON-LD validator
23+ types, Google rich-result eligibility check.
Hreflang checker
Reciprocity probe across up to 10 alternates.
Security headers grade
A–F grade for CSP, HSTS, X-Frame-Options + more.
llms.txt validator
Check AI search readiness + AI-bot accessibility.
robots.txt checker
Test whether a path is allowed for any user-agent.
Sitemap checker
Validate sitemap.xml structure + future-dated lastmod.
Redirect chain checker
Trace every hop with status codes + timing.
Meta description checker
Char count + SERP truncation point.
See all free tools →
FAQ

Common questions about Seoxpert coverage

How many checks does Seoxpert run per scan?

Every scan runs 20 specialised scanners in a single coordinated pass — 442 individual checks across SEO, content quality, security, performance, mobile readiness, AI / GEO citability, content gaps, E-E-A-T, EU privacy (Schrems II + AI Act §50), and trust. There is no per-scan-type configuration; the full audit fires automatically.

What is AI / GEO citability and why does Seoxpert check for it?

GEO (Generative Engine Optimization) covers whether AI search engines like ChatGPT search, Claude, Perplexity, and Google AI Overviews can find and cite your site. Seoxpert flags blockers: missing /llms.txt, robots.txt rules disallowing GPTBot / Claude-SearchBot / PerplexityBot / Google-Extended (refreshed May 2026 — covers the new Anthropic three-bot split, Amazonbot, Mistral, You.com), missing site-level Organization JSON-LD, missing Person schema for article authors, and question-titled pages without an answer-first paragraph. No other audit tool checks for these.

Does Seoxpert check Schrems II / EU data transfer compliance?

Yes. Schrems II (CJEU C-311/18) requires consent before EU visitor data flows to US-hosted services. Seoxpert flags pre-consent loading of Google Fonts CDN (LG München I 2022 ruling — €100/visitor risk), reCAPTCHA, Meta Pixel, session recorders (Hotjar / Microsoft Clarity / FullStory / Mouseflow), Google Maps embeds, and YouTube embeds not using the youtube-nocookie variant. Also: AI Act §50 disclosure of AI-generated content (in force August 2026), German DDG §5 imprint requirement (jurisdiction-aware severity), and EU Accessibility Act statement.

How does Seoxpert spot content topics you're missing?

A single LLM-powered analysis per scan that asks "what topics does this site clearly cover but lack a canonical landing page for?". It surfaces three kinds of gap: missing pages (mentioned across the site but no dedicated landing), missing hubs (clusters of posts without a pillar page), and topic gaps (obviously expected page types missing — e.g. SaaS without /pricing, agency without /case-studies). Each candidate is grounded in at least 2 evidence URLs from the crawl and post-validated against the live site so a URL that already exists is never suggested.

Does Seoxpert audit security headers?

Yes. Every scan checks HSTS, CSP (with directive-level analysis: missing frame-ancestors, base-uri, object-src, weak unsafe-inline), X-Frame-Options, X-Content-Type-Options, Referrer-Policy (flags dangerous unsafe-url / no-referrer-when-downgrade values), Permissions-Policy, mixed content (split into active = blocked vs passive = warning), CORS-wildcard-with-credentials, session cookie flags (with non-session allowlist so analytics cookies don't false-positive), and HTTPS enforcement.

Does Seoxpert measure Core Web Vitals?

Yes — lab signals correlated with CWV: response time (now CDN-cache-aware, distinguishing slow origin MISS from slow cached HIT via cf-cache-status / x-vercel-cache), render-blocking scripts and stylesheets, layout shift signals (images without width/height, missing fetchpriority), lazy loading, payload size, HTML overcaching that breaks deploys, broken preload hints.

Does Seoxpert do GDPR and cookie consent checks?

Yes. Cookie policies, consent banners, privacy policy presence, terms of service, and data-handling disclosures are all checked. The compliance checks support multi-language URL conventions across 19 European languages (English, German, Danish, Swedish, Norwegian, Finnish, Dutch, French, Spanish, Italian, Portuguese, Polish, Romanian, Czech, Hungarian, Slovak, Greek, Turkish, Russian), so a site at /privatlivspolitik or /datenschutz or /polityka-prywatnosci is recognised correctly. Banner detection covers OneTrust / CookieBot / Cookiebot / vanilla-cookieconsent / Borlabs / Real Cookie Banner / Klaro / Tarteaucitron / Sourcepoint plus self-hosted React banners.

How is Seoxpert different from Ahrefs / Semrush / Screaming Frog?

Three big differences. (1) Coverage span: classical SEO crawlers focus on technical SEO; Seoxpert ships in one pass: SEO + security + performance + EU privacy (Schrems II + AI Act + EAA) + AI / GEO citability + business-readiness signals. (2) Deploy-time positioning: Seoxpert is built to re-run after every deploy and surface regressions, not as a once-a-year audit. (3) AI-search readiness: dedicated scanner for /llms.txt, AI-bot crawler control, Author schema for citability — no other audit tool checks these.

See what we find on your site

Free scan · No credit card required · Results in under 2 minutes.

More SEO questions answered Back to homepage