shop.annmariegianni.com
Audited 5 days ago· shopify
Agent-readiness across all five AI commerce surfaces.
Surfaces — click to filter
16 failing · 4 not checked · 20 shown
4 checks couldn't run on this store — each is listed below with the reason. Your score reflects only what we could verify.
Enforce HTTPS sitewide and ship a Strict-Transport-Security header with max-age ≥ 6 months
Why this matters: AI agents and payment flows refuse plain HTTP; weak HSTS is treated as effectively no HSTS by trust-and-safety scanners.
Findings (1)
Confirmed the homepage is HTTPS (status 200), probed http://shop.annmariegianni.com/ for redirect behaviour, and parsed the Strict-Transport-Security header (value: "max-age=7889238").
How: URL scheme + homepage status check, an http://host/ redirect probe through politeFetch, and a Strict-Transport-Security max-age parse (RFC 6797; ≥ 180-day threshold).
- HSTS max-age is below the 6-month minimumCRITICAL
/parsed max-age = 7889238s (need ≥ 15552000s = 180 days)
What we found
max-age=7889238What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomainsBump
max-ageto at least 15552000 (180 days). 31536000 (1 year) is required for preload-list inclusion.
Remove the noindex directive from every PDP
Why this matters: A noindex on the PDP makes it invisible to Google and ineligible for the merchant listing program.
Findings (4)
Sampled 20 PDP(s); 4 returned a noindex directive.
How: For each sampled PDP, inspect the HTML for <meta name="robots" content="...noindex..."> and the response headers for X-Robots-Tag: ...noindex....
Coverage
16/20 · 80%
- PDP returns noindex (html)HIGH× 4
What we found
<meta name="robots" content="noindex,nofollow">What we expected
<meta name="robots" content="index, follow">Remove the noindex directive from both the meta tag and the X-Robots-Tag header on this route.
Affected (4)
- /products/copy-of-radiate-facial-moisturizing-o…content: noindex,nofollow
- /products/cbitestproductcontent: noindex,nofollow
- /products/boswellia-rose-eye-balmcontent: noindex,nofollow
- /products/wild-fruit-serum-brightening-facial-c…content: noindex,nofollow
Populate gtin on every branded Product node
Why this matters: GTINs let agents match your product to the same item elsewhere; without them you lose cross-catalog matching.
Findings (11)
Checked 20 sampled product pages for a GTIN in the Product JSON-LD (0 carry a valid GTIN, 0%).
How: Extract gtin / gtin8 / gtin12 / gtin13 / gtin14 from the first Product JSON-LD node on each PDP; validate digit length.
Coverage
0/20 · 0%
- No valid GTIN on this product pageHIGH× 10
Populate gtin/gtin8/gtin12/gtin13/gtin14 with the manufacturer's barcode.
Affected (10)
- /products/25-off-illuminating-pearl-mask-hydrat…
- /products/activated-hemp-serum-30ml-copy
- /products/sweetgrass-hair-body-mist
- /products/copy-of-radiate-facial-moisturizing-o…
- /products/beekeepers-naturals-b-powered-superfo…
- /products/3415805
- /products/embroidered-sleep-mask-with-organic-c…
- /products/cbitestproduct
- /products/boswellia-rose-eye-balm
- /products/antioxidant-lip-balm
…and 1 more
Add every required top-level key to the UCP profile
Why this matters: A profile missing one of the four required keys is treated as non-conformant — agent runtimes fall back to default behaviour and may skip the merchant.
Findings (1)
Profile is missing required key(s): signing_keys.
How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.
- Required top-level key
signing_keysis missingHIGHWhat we expected
Add a top-level "signing_keys" field to the JSON document (empty array/object is fine).Set
signing_keysat the root of the JSON document.
Publish a Product JSON-LD block on every PDP
Why this matters: Product JSON-LD is how agents identify the canonical product entity without running JavaScript.
Findings (6)
Parsed JSON-LD on 20 sampled product pages for a Product node (14 found, 70%).
How: Walk each sampled PDP's parsed jsonLdBlocks, flatten @graph containers, and count the page as passing if any node has @type Product / ProductGroup / IndividualProduct / ProductModel.
Coverage
14/20 · 70%
- No Product JSON-LD on this PDPHIGH× 6
Add a
<script type="application/ld+json">block with@type: Productto the PDP<head>.
Surface brand attribution on every PDP
Why this matters: Brand on every product is a primary agent filter and a required feed field.
Findings (6)
Checked 20 sampled product pages for brand attribution via Product JSON-LD or visible HTML signals (14 attributed, 70%).
How: On each PDP, accept brand attribution from either (a) extractBrand on the first Product JSON-LD node OR (b) an HTML brand signal (OG product:brand, brand meta, og:brand, Microdata itemprop="brand").
Coverage
14/20 · 70%
- No brand attribution on this PDP (neither JSON-LD
brandnor OG/Microdata)HIGH× 6Add
brandto the Product JSON-LD or a<meta property="product:brand">tag.
Skipped — the runner did not surface transport metadata
Context: If your UCP profile says `no-cache`, agent runtimes re-fetch on every interaction — brittle at scale and prone to rate-limit failures.
Why this was skipped
Wanted to inspect the UCP profile's Cache-Control header, but the runner did not surface transport metadata.
How: Parse the Cache-Control header on the /.well-known/ucp response; require public, max-age ≥ 60, and no no-store/no-cache/private.
- Transport metadata not available — runner update pendingLOW
This check activates once the runner (Task I1) populates ctx.wellKnownUcp.cacheControl.
Skipped — Profile declares no signing_keys; JWK validation has no entries to evaluate.
Context: Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.
Why this was skipped
Profile declares no signing_keys; JWK validation has no entries to evaluate.
How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.
Add includeSubDomains to your Strict-Transport-Security header
Why this matters: Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.
Findings (1)
Inspected the homepage Strict-Transport-Security header ("max-age=7889238") and the includeSubDomains directive is absent.
How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).
- HSTS header is missing the includeSubDomains directiveMEDIUM
What we found
max-age=7889238What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomainsAppend
; includeSubDomainsto your STS header once every subdomain you operate supports HTTPS.
Add an Organization (or OnlineStore) JSON-LD block to your homepage with a contactPoint
Why this matters: Organization markup with a contactPoint tells AI agents who you are and how a shopper can reach you for support.
Findings (1)
Parsed the homepage JSON-LD looking for an Organization/OnlineStore node with a contactPoint, but no Organization-class node is present.
How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.
- No Organization/OnlineStore JSON-LD on homepageMEDIUM
What we expected
<script type="application/ld+json">{"@context":"https://schema.org","@type":"OnlineStore","name":"Example Store","url":"https://example.com","contactPoint":[{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com"}]}</script>Add an Organization (or OnlineStore) JSON-LD block in the homepage
<head>with a contactPoint.
Skipped — No MerchantReturnPolicy node carried a `merchantReturnLink` URL, so reachability has nothing to evaluate.
Context: A broken return-link makes Option B policies invisible — agents can't render or follow the link.
Why this was skipped
No MerchantReturnPolicy node carried a merchantReturnLink URL, so reachability has nothing to evaluate.
How: Collect every unique merchantReturnLink URL across all MerchantReturnPolicy nodes; probe each once via politeFetch (failSoft). 2xx counts as reachable.
Skipped — Profile declares no capabilities; required-field checks have nothing to evaluate.
Context: Capabilities missing version/spec/schema can't be matched against agent support tables — agents skip them silently.
Why this was skipped
Profile declares no capabilities; required-field checks have nothing to evaluate.
How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.
Upload higher-resolution product images (area ≥ 50,000 pixels)
Why this matters: Tiny product images get dropped from Google’s shopping rich-result modules and are unhelpful to AI agents quoting your product visually.
Findings (11)
Inspected <img width=… height=…> attributes on 20 sampled product pages (2 have at least one image with area ≥ 50,000 px; dimensions absent from HTML are not HEAD-probed and count as indeterminate).
How: For every sampled PDP, parse <img> tags and read explicit width and height attributes; a PDP passes when at least one image has width × height ≥ 50,000. PDPs without any explicit-dimension <img> are marked indeterminate (this check does not HEAD image URLs).
Coverage
2/20 · 10%
- All images on this PDP are below the 50,000-pixel thresholdLOW× 4
Upload an image whose width × height ≥ 50,000 (e.g., 400 × 300 = 120,000).
Affected (4)
- /products/25-off-illuminating-pearl-mask-hydrat…largest image area observed: 25,600 px
- /products/3415805largest image area observed: 18,769 px
- /products/embroidered-sleep-mask-with-organic-c…largest image area observed: 130 px
- /products/sweet-sunrise-shampoo-conditioner-bun…largest image area observed: 25,600 px
- No <img> on this PDP carries explicit width+height attributesLOW× 6
Server-render explicit width and height attributes so crawlers can verify image area without fetching.
Affected (6)
- /products/sweetgrass-hair-body-mist16 <img> tags found, none with width+height
- /products/copy-of-radiate-facial-moisturizing-o…7 <img> tags found, none with width+height
- /products/beekeepers-naturals-b-powered-superfo…22 <img> tags found, none with width+height
- /products/cbitestproduct15 <img> tags found, none with width+height
- /products/boswellia-rose-eye-balm14 <img> tags found, none with width+height
- /products/activated-night-serum-travel-retinol-…21 <img> tags found, none with width+height
…and 1 more
Add preload to your Strict-Transport-Security header and submit to hstspreload.org
Why this matters: HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.
Findings (1)
Inspected the homepage Strict-Transport-Security header ("max-age=7889238") and the preload directive is absent.
How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).
- HSTS header is missing the preload directiveLOW
What we found
max-age=7889238What we expected
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadAppend
; preloadafterincludeSubDomainsand submit your domain at https://hstspreload.org/.
Publish a substantive About page at a standard URL
Why this matters: Perplexity and ChatGPT use About-page text to summarise your brand to shoppers in answer responses.
Findings (1)
Probed 4 candidate About-page paths and none returned a 2xx body.
How: URL probe of platform-specific about-page paths via politeFetch; the first 2xx response whose HTML-stripped body length is ≥ 200 chars counts as a pass.
- No About page reachable at any standard URLLOW
statuses: /pages/about=404, /pages/about-us=404, /about=404, /about-us=404
Publish an About page at /about (or your platform's standard path) with ≥ 200 chars of body text.
Use sentence-case product titles
Why this matters: Empty or all-caps product titles signal low quality to agents and trigger Google Merchant Center policy flags.
Findings (1)
Inspected the Product JSON-LD title on 14 sampled product pages (13 non-empty and not all-caps, 93%).
How: Read name on the first Product JSON-LD node. Fail if missing/empty after trimming OR if the string contains letters and they're all upper-case.
Coverage
13/14 · 93%
- Product title is entirely upper-caseLOW
What we found
CBITESTPRODUCTUse sentence-case or title-case capitalisation.
Add an AggregateRating to Product nodes when you have real reviews
Why this matters: Review ratings are a trust signal agents use to rank and filter products.
Findings (7)
Looked for a valid aggregateRating on Product JSON-LD across 14 sampled product pages (7 valid, 50%).
How: On each Product node, parse aggregateRating (or the first element if it's an array) and require ratingValue in [0,5] AND reviewCount or ratingCount ≥ 1.
Coverage
7/14 · 50%
- Product has no valid AggregateRating (ratingValue 0-5 + reviewCount/ratingCount ≥ 1)LOW× 7
Render
aggregateRatingfrom real review totals — never fabricate.
Add descriptive alt text to product images (WCAG 2.x SC 1.1.1)
Why this matters: Alt text is the only text description AI agents and screen readers have for your product imagery.
Findings (10)
Parsed <img> alt attributes across 20 sampled product pages (10 have alt text on at least 80% of images).
How: Per PDP, count <img> tags via regex; a tag 'has alt text' when its alt attribute is present AND non-empty after trim. A PDP passes when it carries no <img> at all OR ≥80% of its <img> tags have non-empty alt.
Coverage
10/20 · 50%
- Most images on this product page lack alt textLOW× 10
What we expected
<img src="/img/sneaker.webp" alt="Red leather running shoe, side view" />Populate the alt attribute on each <img> with a description of what the image shows; use alt="" only for decorative images.
Affected (10)
- /products/sweetgrass-hair-body-mist11/16 <img> tags have non-empty alt (69%)
- /products/copy-of-radiate-facial-moisturizing-o…4/7 <img> tags have non-empty alt (57%)
- /products/341580520/32 <img> tags have non-empty alt (63%)
- /products/boswellia-rose-eye-balm11/14 <img> tags have non-empty alt (79%)
- /products/sweet-sunrise-shampoo-conditioner-bun…19/24 <img> tags have non-empty alt (79%)
- /products/aloe-herb-cleanser-travel-rosemary-to…4/7 <img> tags have non-empty alt (57%)
- /products/crystal-gift4/7 <img> tags have non-empty alt (57%)
- /products/milestone-1004/7 <img> tags have non-empty alt (57%)
- /products/milestone-754/7 <img> tags have non-empty alt (57%)
- /products/milestone-504/7 <img> tags have non-empty alt (57%)
Enable Apple Pay through your payment processor (informational only)
Why this matters: Apple Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 20 sampled PDPs for Apple Pay markers; none matched.
How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.
- No Apple Pay markers detected on the homepage or PDPsINFO
Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.
Enable Google Pay through your payment processor (informational only)
Why this matters: Google Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.
Findings (1)
Scanned the homepage and 20 sampled PDPs for Google Pay markers; none matched.
How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.
- No Google Pay markers detected on the homepage or PDPsINFO
Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.