https://bolt.new

Largest Contentful Paint is too slow

Your page's main image or headline takes more than 2.5 seconds to show up. Visitors see a blank or half-loaded page, and most will leave before it finishes loading.

First Contentful Paint is slow

Your page takes more than 1.8 seconds before showing any content at all. Visitors stare at a blank screen and may leave before your site even starts to appear.

Performance score is below 70

Your site scores poorly on Google's performance test. Slow sites rank lower in search results and convert significantly fewer visitors into customers.

OG image missing width and height

Twitter/X, LinkedIn, Telegram, and Discord need the image dimensions declared in your HTML to display the preview correctly. Without them, the preview may be skipped entirely or shown at the wrong size — reducing click-through rate when your link is shared.

Open Graph URL missing

Social platforms and crawlers have no explicit canonical sharing URL for this page. This can weaken preview consistency across channels.

Images are missing dimensions

Images without dimensions can cause layout shifts while the page loads. That hurts Core Web Vitals and makes the page feel unstable.

Images with empty or missing alt text

Some images have no meaningful alt text. Screen readers read these as "image" with no context, hurting accessibility and image search visibility.

No analytics tracking detected

You can't improve what you don't measure. Without analytics you have no visibility into traffic, user behavior, or conversion goals.

X-Frame-Options header missing

Your site can be embedded in an invisible iframe on another website. Attackers use this technique (called "clickjacking") to trick your users into clicking things without realising it.

X-Content-Type-Options header missing

Browsers can "sniff" your files and treat them as a different file type than intended. This can allow attackers to upload files that get executed as scripts. This header prevents that.

Referrer-Policy header missing

When visitors click a link to leave your site, their browser sends your full URL (including any private query parameters) to the destination site. A referrer policy controls what gets shared.

Content Security Policy missing

There's no policy controlling what scripts and resources your page can load. Without this, an attacker who injects any code into your page can do anything — steal cookies, redirect users, exfiltrate data.

Missing Permissions-Policy header

Without a Permissions-Policy header, any script on your page can access the camera, microphone, geolocation, and other sensitive browser features. This is a defence-in-depth security header that limits exposure if you get XSS.

DMARC policy is set to none (monitoring only)

Your DMARC record only monitors, it does not protect. Emails that fail DMARC (including spoofed phishing from your domain) are still delivered to inboxes.

No CAA DNS record

Without a CAA record, any certificate authority in the world can issue an SSL certificate for your domain. A CAA record restricts which CAs are allowed.

Cookie set without HttpOnly flag

Without HttpOnly, JavaScript on the page (including injected scripts from XSS attacks) can read your cookies, including session tokens.

No cookie consent mechanism detected

Your site loads tracking scripts (Google Analytics, Meta Pixel, etc.) but no cookie consent banner was found. GDPR and similar laws require informed consent before tracking EU visitors — fines can reach €20M.

No web app manifest found

Your site has no web app manifest. Without it, users who add your site to their home screen on Android get a generic browser icon and no app-like experience. It also helps Chrome show the "Add to Home Screen" prompt.

llms.txt has no product description

Your llms.txt exists but doesn't explain what your product is. AI systems use the description to understand your site context.

llms.txt has no structured sections

Your llms.txt is present but lacks structured sections. The llmstxt.org spec recommends ## sections to help AI systems navigate your content.

No content date signal found

Perplexity and Google AI Overview weight fresh content significantly higher. Without a date signal, your page may be treated as potentially outdated — reducing how often AI systems cite it in answers.

First paragraph too short for AI citation

AI systems like ChatGPT, Claude, and Perplexity extract the beginning of your page as citation passages. A short or absent opening paragraph means they have little useful content to cite, reducing how often your page appears in AI answers.

Form inputs missing labels

Some form fields have no label. Screen reader users cannot tell what the field is for. Placeholder text is not a substitute — it disappears when you start typing.

No skip navigation link

Keyboard and screen reader users have to tab through every navigation item on every page to reach the main content. A "skip to content" link at the top of the page lets them jump directly to the main area.