June 2026
GDPR consent, security hardening, and scanner fixes
Cookie consent banner with analytics gate, production security fixes, and self-scan now correctly detects llms.txt and sitemap.xml.
- •GDPR cookie consent banner — floating card on desktop, bottom sheet on mobile, analytics gated behind consent
- •httpOnly and Secure flags on locale cookie, SSR-rendered privacy links
- •Timing-safe token comparison, production remediation pass (security + SEO + a11y)
- •Issue list sorted by severity — critical issues surface first
- •Scanner self-scan fix — llms.txt and sitemap.xml now detected correctly when scanning glook.dev itself
OAuth scan enrichment and Vercel Analytics
Yandex Webmaster, GA4, and Yandex Metrika data now wired into reports. Vercel Analytics and Speed Insights added.
- •Yandex Webmaster, Google Analytics 4, and Yandex Metrika OAuth data wired into scan enrichment
- •Authenticated users notified when Google or Yandex integrations are not connected
- •Vercel Analytics and Speed Insights integrated for performance monitoring
Security hardening — IDOR fix, SSRF, timing-safe tokens
Backend security pass: timing-safe comparisons, IDOR fix on report access, SSRF hardening, performance and SEO improvements.
- •Timing-safe token comparison — prevents timing-based secret inference
- •IDOR fix — report access now enforces ownership check
- •SSRF hardening — stricter URL validation on scan input
- •Performance and SEO improvements in scan pipeline
May 2026
AI tool brand icons + footer mobile fix
Official SVG logos for Cursor, Claude Code, Windsurf, Codex, and Gemini chips. Compare dropdown now works on touch devices.
- •Official brand SVG icons from Cursor, Anthropic, Codeium, OpenAI, and Google in AI-READY FIXES chips
- •Footer Compare dropdown converted from CSS hover to click/touch toggle with outside-click close
- •Blog sidebar: left sidebar on desktop with category filters and cover images
Blog, audit reports, and full QA suite
Blog with Supabase-backed posts and Tiptap editor. Public audit reports at /audits/[slug]. 110 automated tests passing.
- •Blog at /blog — Supabase-backed posts, sidebar categories (SEO, AI Visibility, Security, Performance, Audit Reports)
- •Audit reports at /audits/[slug] — public company-level reports with editorial summaries
- •Admin editors for blog posts and audit reports with Tiptap rich text
- •Vitest unit test suite (70 tests) and Playwright E2E suite (40 tests) — 110 passing
- •Admin QA dashboard at /admin/qa showing test results
Competitor comparison pages (/vs)
5 side-by-side comparison pages live: Glook vs Ahrefs, Screaming Frog, Semrush, SE Ranking, and Otterly.
- •Category-filtered feature comparison tables
- •/vs index page with all competitors listed
- •FAQ structured data (JSON-LD FAQPage) on every comparison page
- •Static generation with 24h revalidation
90+ checks milestone — trust signals and domain intelligence
Domain age, Reddit mentions, GitHub stars, G2/Product Hunt registration, and answer gap checks added. 90+ total checks.
- •Domain age check via RDAP (reliable domain age without third-party APIs)
- •Reddit mention detection — checks if brand appears in relevant subreddits
- •GitHub stars check for developer tools
- •G2 and Product Hunt registration verification
- •Trust signals row in AI Visibility report section
- •Answer gap analysis — detects if competitor appears in AI responses where you do not
- •Milestone: 90+ total checks across 6 categories
Public REST API, MCP Server, and OAuth integrations
Agency API v1 live with docs at /docs/api. MCP Server for AI agents. OAuth connect for Google, Yandex, Bing, and GitHub Action.
- •REST API v1 for Agency tier — programmatic scan dispatch and report retrieval
- •API docs at /docs/api with curl examples and endpoint reference
- •Agency API key management dashboard
- •MCP Server — AI agents (Cursor, Claude Code) can run scans and read reports via tool calls
- •Google Search Console OAuth — real indexation data and CTR per page in reports
- •Google Analytics 4 OAuth — organic traffic in reports
- •Yandex Metrica OAuth — Yandex traffic data
- •Bing Webmaster Tools OAuth — Bing crawl stats and coverage errors
- •GitHub Action template — block deploys when site score drops below threshold
- •Search Intelligence dashboard showing connected integrations
Issue checklist, weekly digest, and SEO foundation
Mark issues as fixed or ignored with persistent progress. Weekly digest diffs. Programmatic SEO pages.
- •Issue checklist — mark any issue as fixed or ignored, progress saved per scan
- •Weekly digest emails — diff between latest scan and your baseline each Monday
- •Programmatic SEO pages at /check/[domain] — public AI readiness ratings
- •AI readiness ranking system across scanned domains
Checks deepening — 32 new checks added
SSL Labs TLS grading, OSV CVE database, CrUX real-world data, DNS security, cookie flags, and per-bot AI crawler verification.
- •SSL Labs TLS grading — A+ to F grade with cipher and protocol analysis
- •OSV vulnerability database — detects known CVEs in JavaScript libraries
- •CrUX real-world Core Web Vitals — actual user field data alongside Lighthouse lab data
- •DNS security checks — SPF, DMARC, CAA record validation
- •Cookie security flags — Secure, HttpOnly, SameSite attribute audit
- •Per-bot AI crawler verification — GPTBot, ClaudeBot, PerplexityBot access rules checked individually
- •Sitemap depth and structure checks
- •Semantic heading structure validation
- •Total: 32 new checks across 3 phases
Report intelligence — scan goals and AI artifacts
Scan modes (SEO / security / AI visibility / full), generated llms.txt + schema.org + security headers, security alert banner.
- •ScanGoal modes — choose SEO, security, AI visibility, or full audit before scanning
- •Report tabs reorder based on scan goal — AI visibility scan opens AI Visibility tab first
- •AI artifact generators — get ready-to-use llms.txt, schema.org JSON-LD, and security headers config from every report
- •Security alert banner — critical issues (missing CSP, exposed .env, broken HTTPS) highlighted at top
- •Redirect chain detection and visualization
- •Mobile Lighthouse — tap target size and font size issue detection
- •AI platform readiness breakdown — per-platform pass/fail (ChatGPT, Claude, Perplexity, Gemini)
- •Focused landing pages: /seo, /security, /ai-visibility
Full Russian localization
AI summary, issue titles, methodology page, and all UI strings translated to Russian. Language switcher added.
- •AI summary generated in user's language (Russian or English)
- •Issue titles and descriptions translated to Russian
- •Methodology page fully translated
- •Language switcher in report header
- •Strategic recommendations translated
60+ checks milestone
Total check count updated to 60+ across all pages and in-app copy.
- •Check count updated from "50+" to "60+" across landing, pricing, and methodology pages
April 2026
Scan UX improvements
Real-time elapsed timer, navigation guard, inline error form, and "taking longer than usual" message.
- •Real-time elapsed timer during scan (seconds counting up)
- •"Taking longer than usual" message after 40 seconds
- •Navigation guard with confirmation modal if leaving during active scan
- •Inline ScanForm on error state — no redirect to homepage
- •Interrupt warning text shown during active scan
AI fix prompts v4 and PDF export
Per-issue AI prompts with tool selector (Cursor/Bolt/Lovable/v0), 2-tab fix section, PDF export, and animated progress bar.
- •Per-issue AI fix prompts — each issue has its own ready-to-paste prompt
- •Tool selector in fix section — choose Cursor, Bolt, Lovable, v0, or any tool
- •2-tab fix section: AI Fix Prompt + Manual Fix explanation
- •PDF export for Pro and Agency tiers with print CSS branding
- •Animated scan progress bar with step-by-step skeleton
- •Smooth scan to report transition animation
- •Shimmer animation on Fix with AI button on card hover
Security hardening
Rate limiting, CSRF protection, SSRF protection, cron verification, badge injection fix, and webhook hardening.
- •Rate limiting on scan API (per-IP and per-user)
- •CSRF same-origin JSON guard on all mutation endpoints
- •SSRF protection — blocks scanning localhost, private IPs, and AWS metadata endpoint
- •Cron endpoint verification via CRON_SECRET
- •Badge API injection prevention
- •Webhook signature verification hardening
AI Visibility category launched
8 new AEO + GEO checks: schema.org, llms.txt, AI crawler access, sitemap, FAQ schema, and more.
- •AI Visibility category added to reports (AEO + GEO checks)
- •Schema.org JSON-LD detection and validation
- •llms.txt file presence and format check
- •AI crawler access check (GPTBot, ClaudeBot, PerplexityBot via robots.txt)
- •FAQ schema detection
- •Sitemap presence for AI indexing
- •Author entity check
- •SPA detection (JavaScript-only apps may be invisible to AI crawlers)
- •Analytics tracker detection
Dashboard, auth, and Railway scanner
User auth, scan history dashboard, Railway scanner architecture separating Lighthouse from Vercel serverless.
- •User authentication — email + Google OAuth login
- •Scan history dashboard with all past reports
- •Railway scanner service — Lighthouse runs on Railway (Docker) not Vercel to avoid serverless limits
- •SCANNER_SECRET auth between Vercel app and Railway scanner
- •404 page with friendly error messaging
Cinematic UI and animations
Magic UI animations, CinematicFooter with GSAP scroll effects, WebGL noise hero background, dynamic AI fix prompt tool selector.
- •CinematicFooter with GSAP scroll-triggered animations
- •WebGL noise shader hero background
- •Magic UI spotlight cards in features section
- •Dynamic AI fix prompts with tool selector (Cursor/Bolt/Lovable/v0)
- •Gradient chip animations
- •Ship logo and social icons in footer
Glook launched
Initial launch: 25+ checks, Lighthouse audit, AI summary, report UI, auth, billing scaffold, Railway scanner, i18n EN/RU.
- •25+ checks across performance, SEO, security, mobile, and accessibility
- •Lighthouse mobile audit via headless Chromium on Railway
- •AI summary and strategic recommendations via OpenAI GPT-4o-mini
- •Report UI: ScoreRing, CategoryCard, IssueCard with evidence and severity
- •User auth with Google OAuth
- •Free / Pro / Agency tier structure
- •EN/RU internationalization (next-intl)
- •Weekly scan cron for monitoring
- •OG image, sitemap, badge API
- •Legal pages: Privacy Policy, Terms of Service
- •Roadmap page