stanley1913.com — AI Commerce Audit

HALFCRITICAL

HTTPS enforced sitewide + HSTS (≥ 6-month max-age)https-and-hsts-enforcedHSTS

Enforce HTTPS sitewide and ship a Strict-Transport-Security header with max-age ≥ 6 months

Why this matters: AI agents and payment flows refuse plain HTTP; weak HSTS is treated as effectively no HSTS by trust-and-safety scanners.

RFC 6797 — HTTP Strict Transport Security (HSTS)

−2.9impact

Findings (1)

Confirmed the homepage is HTTPS (status 200), probed http://stanley1913.com/ for redirect behaviour, and parsed the Strict-Transport-Security header (value: "max-age=7889238").

How: URL scheme + homepage status check, an http://host/ redirect probe through politeFetch, and a Strict-Transport-Security max-age parse (RFC 6797; ≥ 180-day threshold).

HSTS max-age is below the 6-month minimumCRITICAL
/parsed max-age = 7889238s (need ≥ 15552000s = 180 days)
What we found
```
max-age=7889238
```
What we expected
```
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
Bump max-age to at least 15552000 (180 days). 31536000 (1 year) is required for preload-list inclusion.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILHIGH

No sampled PDP returns a noindex directivepdp-not-noindexMerchant

Remove the noindex directive from every PDP

Why this matters: A noindex on the PDP makes it invisible to Google and ineligible for the merchant listing program.

Google merchant listing — indexable PDPs

−2.4impact

Findings (4)

Sampled 20 PDP(s); 4 returned a noindex directive.

How: For each sampled PDP, inspect the HTML for <meta name="robots" content="...noindex..."> and the response headers for X-Robots-Tag: ...noindex....

Coverage

16/20 · 80%

PDP returns noindex (html)HIGH× 4
What we found
```
<meta name="robots" content="noindex,nofollow">
```
What we expected
```
<meta name="robots" content="index, follow">
```
Remove the noindex directive from both the meta tag and the X-Robots-Tag header on this route.
Affected (4)
- /products/the-iceflow%E2%84%A2-flip-straw-tumbl…content: noindex,nofollow
- /products/the-quencher-protour-flip-straw-tumbl…content: noindex,nofollow
- /products/adventure-stacking-beer-pint-stanley-…content: noindex,nofollow
- /products/the-iceflow%E2%84%A2-bottle-with-flip…content: noindex,nofollow

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILHIGH

Each PDP carries at most one Product JSON-LD nodepdp-single-product-pageMerchant

Emit a single Product JSON-LD node per PDP

Why this matters: Duplicate Product nodes on a single PDP cause Google's merchant scraper to drop the listing or pick the wrong variant.

Google merchant listing — single product per page

−2.1impact

Findings (16)

Sampled 20 PDP(s); 16 carried multiple Product JSON-LD nodes.

How: For each sampled PDP, count JSON-LD nodes whose @type is Product or whose @type array contains Product. Each PDP must expose at most one.

Coverage

4/20 · 20%

PDP exposes 3 Product JSON-LD nodesHIGH× 4
Emit exactly one Product JSON-LD block per PDP; model variants via hasVariant or multiple Offer children.
Affected (4)
- /products/the-iceflow%E2%84%A2-flip-straw-tumbl…3 Product nodes detected
- /products/forge-thermal-bottle-1-4-qt3 Product nodes detected
- /products/stanley-lifted-spirits-steel-cooler-5…3 Product nodes detected
- /products/stanley-lifted-spirits-steel-cooler-2…3 Product nodes detected
PDP exposes 4 Product JSON-LD nodesHIGH
/products/the-quencher-protour-flip-straw-tumbl…4 Product nodes detected
Emit exactly one Product JSON-LD block per PDP; model variants via hasVariant or multiple Offer children.
PDP exposes 6 Product JSON-LD nodesHIGH× 5
Emit exactly one Product JSON-LD block per PDP; model variants via hasVariant or multiple Offer children.
Affected (5)
- /products/adventure-stacking-beer-pint-stanley-…6 Product nodes detected
- /products/the-iceflow%E2%84%A2-bottle-with-flip…6 Product nodes detected
- /products/country-collection-iceflow-tumbler-30…6 Product nodes detected
- /products/country-collection-quencher-protour-f…6 Product nodes detected
- /products/country-collection-stacking-pint-16-oz6 Product nodes detected

…and 6 more

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILHIGH

GTIN coverage on PDPsproduct-gtin-populatedSchema.orgMerchant

Populate gtin on every branded Product node

Why this matters: GTINs let agents match your product to the same item elsewhere; without them you lose cross-catalog matching.

schema.org/Product.gtin

−1.9impact

Findings (11)

Checked 20 sampled product pages for a GTIN in the Product JSON-LD (0 carry a valid GTIN, 0%).

How: Extract gtin / gtin8 / gtin12 / gtin13 / gtin14 from the first Product JSON-LD node on each PDP; validate digit length.

Coverage

0/20 · 0%

No valid GTIN on this product pageHIGH× 10
Populate gtin/gtin8/gtin12/gtin13/gtin14 with the manufacturer's barcode.
Affected (10)

…and 1 more

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILHIGH

Offer JSON-LD carries shippingDetails (OfferShippingDetails)offer-shipping-details-presentSchema.orgShipping

Emit shippingDetails (OfferShippingDetails) on Offer JSON-LD

Why this matters: Without shippingDetails, AI agents fall back to vague defaults — they can't quote your rates, destinations, or delivery windows in shopping cards.

schema.org/OfferShippingDetails

−1.7impact

Findings (11)

Inspected shippingDetails on Product/Offer JSON-LD across 20 sampled PDPs (0 present, 0%).

How: On each PDP, locate the Product JSON-LD node and check for shippingDetails (single object or array) at Product or Offer level. Pass band ≥ 85% coverage.

Coverage

0/20 · 0%

Offer JSON-LD missing shippingDetailsHIGH× 10
Add OfferShippingDetails with shippingRate, shippingDestination, and deliveryTime.
Affected (10)

…and 1 more

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILHIGH

UCP profile carries all four required top-level keysucp-profile-required-keysUCP

Add every required top-level key to the UCP profile

Why this matters: A profile missing one of the four required keys is treated as non-conformant — agent runtimes fall back to default behaviour and may skip the merchant.

UCP overview — required profile keys

−1.6impact

Findings (1)

Profile is missing required key(s): signing_keys.

How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.

Required top-level key signing_keys is missingHIGH
/.well-known/ucp
What we expected
```
Add a top-level "signing_keys" field to the JSON document (empty array/object is fine).
```
Set signing_keys at the root of the JSON document.

How to fix · 2 steps · create a free account to viewCreate a free account →

NAHIGH

UCP profile Cache-Control is shared-cacheable with max-age ≥ 60sucp-cache-headers-validUCP

Skipped — the runner did not surface transport metadata

Context: If your UCP profile says `no-cache`, agent runtimes re-fetch on every interaction — brittle at scale and prone to rate-limit failures.

UCP overview — profile caching

Not scoredimpact

Why this was skipped

Wanted to inspect the UCP profile's Cache-Control header, but the runner did not surface transport metadata.

How: Parse the Cache-Control header on the /.well-known/ucp response; require public, max-age ≥ 60, and no no-store/no-cache/private.

Transport metadata not available — runner update pendingLOW
/.well-known/ucp
This check activates once the runner (Task I1) populates ctx.wellKnownUcp.cacheControl.

NAHIGH

Every signing_keys[] entry is a valid JWKucp-signing-keys-validJWKS

Skipped — Profile declares no signing_keys; JWK validation has no entries to evaluate.

Context: Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.

RFC 7517 — JSON Web Key (JWK)

Not scoredimpact

Why this was skipped

Profile declares no signing_keys; JWK validation has no entries to evaluate.

How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.

FAILMEDIUM

HSTS policy carries the includeSubDomains directivehsts-include-subdomainsHSTS

Add includeSubDomains to your Strict-Transport-Security header

Why this matters: Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.

RFC 6797 — HSTS `includeSubDomains` directive

−1.1impact

Findings (1)

Inspected the homepage Strict-Transport-Security header ("max-age=7889238") and the includeSubDomains directive is absent.

How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).

HSTS header is missing the includeSubDomains directiveMEDIUM
/
What we found
```
max-age=7889238
```
What we expected
```
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
Append ; includeSubDomains to your STS header once every subdomain you operate supports HTTPS.

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILMEDIUM

Organization/OnlineStore JSON-LD with contactPoint on homepageorganization-jsonld-with-contactSchema.org

Add an Organization (or OnlineStore) JSON-LD block to your homepage with a contactPoint

Why this matters: Organization markup with a contactPoint tells AI agents who you are and how a shopper can reach you for support.

schema.org/Organization (and OnlineStore subclass) with contactPoint

−1.1impact

Findings (1)

Found a homepage Organization node but its contactPoint is missing both email and telephone.

How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.

Homepage Organization node has no contactPoint with email or telephoneMEDIUM
/
What we expected
```
"contactPoint": [{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com","telephone":"+1-555-123-4567"}]
```
Add a contactPoint object with at least one of email or telephone.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILMEDIUM

Sitemap entries share the host of the containing sitemapsitemap-same-hostSitemap

Keep every sitemap entry on the sitemap's own host

Why this matters: Cross-host sitemap entries are silently dropped, so the off-host product URLs effectively don't exist for the crawler.

sitemaps.org — Sitemap file location

−0.8impact

Findings (5)

Compared 708 <loc> entries against their sitemap host across 7 resource(s); 5 cross-host entries found.

How: For each resolved sitemap resource, parse the sitemap URL's host and compare it against every parsed <loc> URL's host.

Cross-host <loc> — sitemap host is stanley1913.com but entry is on www.stanley1913.comMEDIUM
/sitemap.xmlsitemap host: stanley1913.com; entry host: www.stanley1913.com
What we found
```
https://www.stanley1913.com/sitemap_agentic_discovery.xml
```
Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
Cross-host <loc> — sitemap host is stanley1913.com but entry is on www.stanley1913.comMEDIUM
/sitemap.xmlsitemap host: stanley1913.com; entry host: www.stanley1913.com
What we found
```
https://www.stanley1913.com/sitemap_products_1.xml?from=5019769274427&to=14973483647336
```
Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
Cross-host <loc> — sitemap host is stanley1913.com but entry is on www.stanley1913.comMEDIUM
/sitemap.xmlsitemap host: stanley1913.com; entry host: www.stanley1913.com
What we found
```
https://www.stanley1913.com/sitemap_pages_1.xml?from=58699382843&to=692011204968
```
Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
Cross-host <loc> — sitemap host is stanley1913.com but entry is on www.stanley1913.comMEDIUM
/sitemap.xmlsitemap host: stanley1913.com; entry host: www.stanley1913.com
What we found
```
https://www.stanley1913.com/sitemap_collections_1.xml?from=190292099131&to=671708643688
```
Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.
Cross-host <loc> — sitemap host is stanley1913.com but entry is on www.stanley1913.comMEDIUM
/sitemap.xmlsitemap host: stanley1913.com; entry host: www.stanley1913.com
What we found
```
https://www.stanley1913.com/sitemap_blogs_1.xml
```
Remove the cross-host entry from this sitemap, or publish a separate sitemap on that host.

How to fix · 2 steps · create a free account to viewCreate a free account →

HALFMEDIUM

Product `sku` populatedproduct-sku-populatedSchema.orgMerchant

Populate sku on every Product JSON-LD node

Why this matters: A stable SKU lets agents track and re-identify your product across catalogs.

schema.org/Product.sku

−0.6impact

Findings (4)

Read the sku field on Product JSON-LD across 20 sampled product pages (16 populated, 80%).

How: On each PDP with a Product node, accept sku if it is a non-empty trimmed string or a number.

Coverage

16/20 · 80%

Product JSON-LD has no populated skuMEDIUM× 4
Fill in the SKU field in your product admin; the JSON-LD template typically binds to that field.
Affected (4)

How to fix · 2 steps · create a free account to viewCreate a free account →

NAMEDIUM

MerchantReturnPolicy merchantReturnLink URL is reachablemerchant-return-link-reachableReturns

Skipped — No MerchantReturnPolicy node carried a `merchantReturnLink` URL, so reachability has nothing to evaluate.

Context: A broken return-link makes Option B policies invisible — agents can't render or follow the link.

Google return-policy SD — merchantReturnLink reachability

Not scoredimpact

Why this was skipped

No MerchantReturnPolicy node carried a merchantReturnLink URL, so reachability has nothing to evaluate.

How: Collect every unique merchantReturnLink URL across all MerchantReturnPolicy nodes; probe each once via politeFetch (failSoft). 2xx counts as reachable.

NAMEDIUM

OfferShippingDetails shippingDestination is a valid DefinedRegionoffer-shipping-destination-validShipping

Skipped — No OfferShippingDetails node carried `shippingDestination`, so the DefinedRegion check has nothing to evaluate.

Context: Without a valid destination region, your shipping rate has no scope — Google can't decide whether to render it for a given shopper's country.

Google shipping-policy SD — shippingDestination as DefinedRegion

Not scoredimpact

Why this was skipped

No OfferShippingDetails node carried shippingDestination, so the DefinedRegion check has nothing to evaluate.

How: On each OfferShippingDetails node where shippingDestination is set, require it to be a DefinedRegion (or array) and every entry to carry addressCountry matching /^[A-Z]{2}$/i.

NAMEDIUM

OfferShippingDetails shippingRate is a valid MonetaryAmountoffer-shipping-rate-validShipping

Skipped — No OfferShippingDetails node carried `shippingRate`, so the MonetaryAmount check has nothing to evaluate.

Context: An invalid rate object is silently dropped; agents can't quote your shipping cost in shopping cards.

Google shipping-policy SD — shippingRate as MonetaryAmount

Not scoredimpact

Why this was skipped

No OfferShippingDetails node carried shippingRate, so the MonetaryAmount check has nothing to evaluate.

How: On each OfferShippingDetails node where shippingRate is set, require an object with numeric value/maxValue (typed or numeric string) and a 3-letter ISO 4217 currency.

NAMEDIUM

Each capability has version + spec + schemaucp-capability-required-fieldsUCP

Skipped — Profile declares no capabilities; required-field checks have nothing to evaluate.

Context: Capabilities missing version/spec/schema can't be matched against agent support tables — agents skip them silently.

UCP overview — capabilities

Not scoredimpact

Why this was skipped

Profile declares no capabilities; required-field checks have nothing to evaluate.

How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.

FAILLOW

HSTS policy carries the preload directivehsts-preload-directiveHSTS

Add preload to your Strict-Transport-Security header and submit to hstspreload.org

Why this matters: HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.

RFC 6797 — HSTS `preload` directive (vendor extension)

−0.3impact

Findings (1)

Inspected the homepage Strict-Transport-Security header ("max-age=7889238") and the preload directive is absent.

How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).

HSTS header is missing the preload directiveLOW
/
What we found
```
max-age=7889238
```
What we expected
```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```
Append ; preload after includeSubDomains and submit your domain at https://hstspreload.org/.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILLOW

Product `aggregateRating` presentproduct-aggregate-rating-presentSchema.org

Add an AggregateRating to Product nodes when you have real reviews

Why this matters: Review ratings are a trust signal agents use to rank and filter products.

schema.org/AggregateRating

−0.2impact

Findings (11)

Looked for a valid aggregateRating on Product JSON-LD across 20 sampled product pages (0 valid, 0%).

How: On each Product node, parse aggregateRating (or the first element if it's an array) and require ratingValue in [0,5] AND reviewCount or ratingCount ≥ 1.

Coverage

0/20 · 0%

Product has no valid AggregateRating (ratingValue 0-5 + reviewCount/ratingCount ≥ 1)LOW× 10
Render aggregateRating from real review totals — never fabricate.
Affected (10)

…and 1 more

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILLOW

Alt text on at least 80% of PDP imagesimage-alt-text-coverageWCAG

Add descriptive alt text to product images (WCAG 2.x SC 1.1.1)

Why this matters: Alt text is the only text description AI agents and screen readers have for your product imagery.

WCAG 2.x SC 1.1.1 — Non-text Content

−0.2impact

Findings (11)

Parsed <img> alt attributes across 20 sampled product pages (0 have alt text on at least 80% of images).

How: Per PDP, count <img> tags via regex; a tag 'has alt text' when its alt attribute is present AND non-empty after trim. A PDP passes when it carries no <img> at all OR ≥80% of its <img> tags have non-empty alt.

Coverage

0/20 · 0%

Most images on this product page lack alt textLOW× 10
What we expected
```
<img src="/img/sneaker.webp" alt="Red leather running shoe, side view" />
```
Populate the alt attribute on each <img> with a description of what the image shows; use alt="" only for decorative images.
Affected (10)
- /products/the-iceflow%E2%84%A2-flip-straw-tumbl…27/61 <img> tags have non-empty alt (44%)
- /products/the-quencher-protour-flip-straw-tumbl…28/62 <img> tags have non-empty alt (45%)
- /products/adventure-stacking-beer-pint-stanley-…27/60 <img> tags have non-empty alt (45%)
- /products/the-iceflow%E2%84%A2-bottle-with-flip…30/64 <img> tags have non-empty alt (47%)
- /products/country-collection-iceflow-tumbler-30…30/65 <img> tags have non-empty alt (46%)
- /products/country-collection-quencher-protour-f…30/65 <img> tags have non-empty alt (46%)
- /products/country-collection-iceflow-aerolight-…31/66 <img> tags have non-empty alt (47%)
- /products/country-collection-stacking-pint-16-oz27/61 <img> tags have non-empty alt (44%)
- /products/the-daybreak-cafe-latte-cup-10-6-oz32/64 <img> tags have non-empty alt (50%)
- /products/the-daybreak-cafe-latte-cup-stillness…29/64 <img> tags have non-empty alt (45%)

…and 1 more

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILLOW

About page reachable with substantive copyabout-page-reachableMerchant

Publish a substantive About page at a standard URL

Why this matters: Perplexity and ChatGPT use About-page text to summarise your brand to shoppers in answer responses.

Google merchant listing — customer-support / about page

−0.2impact

Findings (1)

Probed 4 candidate About-page paths and none returned a 2xx body.

How: URL probe of platform-specific about-page paths via politeFetch; the first 2xx response whose HTML-stripped body length is ≥ 200 chars counts as a pass.

No About page reachable at any standard URLLOW
statuses: /pages/about=404, /pages/about-us=404, /about=404, /about-us=404
Publish an About page at /about (or your platform's standard path) with ≥ 200 chars of body text.

How to fix · 3 steps · create a free account to viewCreate a free account →

NALOW

OfferShippingDetails deliveryTime is a valid ShippingDeliveryTimeoffer-shipping-delivery-time-validShipping

Skipped — No OfferShippingDetails node carried `deliveryTime`, so the ShippingDeliveryTime check has nothing to evaluate.

Context: Without populated handling/transit times, agents can't quote a delivery window in shopping cards.

Google shipping-policy SD — deliveryTime as ShippingDeliveryTime

Not scoredimpact

Why this was skipped

No OfferShippingDetails node carried deliveryTime, so the ShippingDeliveryTime check has nothing to evaluate.

How: On each OfferShippingDetails node where deliveryTime is set, require an object with at least one of handlingTime / transitTime populated as a QuantitativeValue.

FAILINFO

Apple Pay markers detected (informational)apple-pay-detectedSchema.org

Enable Apple Pay through your payment processor (informational only)

Why this matters: Apple Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.

Apple Pay availability — payment options observed

No score impactimpact

Findings (1)

Scanned the homepage and 20 sampled PDPs for Apple Pay markers; none matched.

How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.

No Apple Pay markers detected on the homepage or PDPsINFO
/
Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILINFO

Google Pay markers detected (informational)google-pay-detectedSchema.org

Enable Google Pay through your payment processor (informational only)

Why this matters: Google Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.

Google Pay availability — payment options observed

No score impactimpact

Findings (1)

Scanned the homepage and 20 sampled PDPs for Google Pay markers; none matched.

How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.

No Google Pay markers detected on the homepage or PDPsINFO
/
Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

How to fix · 3 steps · create a free account to viewCreate a free account →

16 failing · 7 not checked · 23 shown