stjudeshop.com — AI Commerce Audit

HALFCRITICAL

HTTPS enforced sitewide + HSTS (≥ 6-month max-age)https-and-hsts-enforcedHSTS

Enforce HTTPS sitewide and ship a Strict-Transport-Security header with max-age ≥ 6 months

Why this matters: AI agents and payment flows refuse plain HTTP; weak HSTS is treated as effectively no HSTS by trust-and-safety scanners.

RFC 6797 — HTTP Strict Transport Security (HSTS)

−2.9impact

Findings (1)

Confirmed the homepage is HTTPS (status 200), probed http://stjudeshop.com/ for redirect behaviour, and parsed the Strict-Transport-Security header (value: "max-age=0").

How: URL scheme + homepage status check, an http://host/ redirect probe through politeFetch, and a Strict-Transport-Security max-age parse (RFC 6797; ≥ 180-day threshold).

HSTS max-age is below the 6-month minimumCRITICAL
/parsed max-age = 0s (need ≥ 15552000s = 180 days)
What we found
```
max-age=0
```
What we expected
```
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
Bump max-age to at least 15552000 (180 days). 31536000 (1 year) is required for preload-list inclusion.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILHIGH

Product JSON-LD present on PDPsproduct-jsonld-presentSchema.orgMerchant

Publish a Product JSON-LD block on every PDP

Why this matters: Product JSON-LD is how agents identify the canonical product entity without running JavaScript.

schema.org/Product

−2.5impact

Findings (11)

Parsed JSON-LD on 20 sampled product pages for a Product node (7 found, 35%).

How: Walk each sampled PDP's parsed jsonLdBlocks, flatten @graph containers, and count the page as passing if any node has @type Product / ProductGroup / IndividualProduct / ProductModel.

Coverage

7/20 · 35%

No Product JSON-LD on this PDPHIGH× 10
Add a <script type="application/ld+json"> block with @type: Product to the PDP <head>.
Affected (10)

…and 1 more

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILHIGH

Brand attribution on PDPsproduct-brand-attributionSchema.orgMerchant

Surface brand attribution on every PDP

Why this matters: Brand on every product is a primary agent filter and a required feed field.

schema.org/Product.brand

−1.9impact

Findings (11)

Checked 20 sampled product pages for brand attribution via Product JSON-LD or visible HTML signals (0 attributed, 0%).

How: On each PDP, accept brand attribution from either (a) extractBrand on the first Product JSON-LD node OR (b) an HTML brand signal (OG product:brand, brand meta, og:brand, Microdata itemprop="brand").

Coverage

0/20 · 0%

No brand attribution on this PDP (neither JSON-LD brand nor OG/Microdata)HIGH× 10
Add brand to the Product JSON-LD or a <meta property="product:brand"> tag.
Affected (10)

…and 1 more

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILHIGH

GTIN coverage on PDPsproduct-gtin-populatedSchema.orgMerchant

Populate gtin on every branded Product node

Why this matters: GTINs let agents match your product to the same item elsewhere; without them you lose cross-catalog matching.

schema.org/Product.gtin

−1.9impact

Findings (11)

Checked 20 sampled product pages for a GTIN in the Product JSON-LD (0 carry a valid GTIN, 0%).

How: Extract gtin / gtin8 / gtin12 / gtin13 / gtin14 from the first Product JSON-LD node on each PDP; validate digit length.

Coverage

0/20 · 0%

No valid GTIN on this product pageHIGH× 10
Populate gtin/gtin8/gtin12/gtin13/gtin14 with the manufacturer's barcode.
Affected (10)

…and 1 more

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILHIGH

UCP profile carries all four required top-level keysucp-profile-required-keysUCP

Add every required top-level key to the UCP profile

Why this matters: A profile missing one of the four required keys is treated as non-conformant — agent runtimes fall back to default behaviour and may skip the merchant.

UCP overview — required profile keys

−1.5impact

Findings (1)

Profile is missing required key(s): signing_keys.

How: Read the profile root (or top-level ucp wrapper) and verify the presence of version, services, capabilities, and signing_keys keys.

Required top-level key signing_keys is missingHIGH
/.well-known/ucp
What we expected
```
Add a top-level "signing_keys" field to the JSON document (empty array/object is fine).
```
Set signing_keys at the root of the JSON document.

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILHIGH

Each service satisfies the transport-conditional field requirementsucp-service-transport-conditional-fieldsUCP

Populate the conditional fields required by each service's transport

Why this matters: A service declared with the right transport but missing endpoint/schema is unreachable — agents can't negotiate or connect.

UCP overview — transport-conditional fields

−1.3impact

Findings (1)

Validated 1 services with recognised transports (0 satisfy their transport's required fields).

How: For each services[] entry with a recognised transport, require the transport-conditional fields: rest/mcp → endpoint+schema; a2a → endpoint; embedded → schema.

Coverage

0/1 · 0%

Service is missing transport-conditional field(s)HIGH
/.well-known/ucpnamespace=dev.ucp.shopping; transport=rest
What we found
```
missing: schema
```
What we expected
```
`endpoint` + `schema`
```
Add schema to this services[] entry.

How to fix · 2 steps · create a free account to viewCreate a free account →

NAHIGH

Every signing_keys[] entry is a valid JWKucp-signing-keys-validJWKS

Skipped — Profile declares no signing_keys; JWK validation has no entries to evaluate.

Context: Malformed JWK entries are rejected silently by agents — signed payloads cannot be verified and the merchant loses trust signal.

RFC 7517 — JSON Web Key (JWK)

Not scoredimpact

Why this was skipped

Profile declares no signing_keys; JWK validation has no entries to evaluate.

How: Walk signing_keys[] and validate each entry per RFC 7517 §4.1 (kty required) + RFC 7518 §6 (kty-specific required parameters). kid is OPTIONAL per RFC 7517 §4.5 and not enforced here.

FAILMEDIUM

Product `brand` is a string or Brand/Organization objectproduct-brand-string-or-objectSchema.orgMerchant

Emit brand as either a string or a typed Brand object on every Product

Why this matters: Brand on every product is a primary agent filter and a required feed field.

schema.org/brand — Text | Brand | Organization

−1.1impact

Findings (7)

Inspected the brand field on Product JSON-LD across 7 sampled product pages (0 valid as string or object, 0%).

How: On each Product node, accept brand if it's a non-empty trimmed string OR an object with a non-empty name. Objects with @type Brand/Organization but no name are rejected.

Coverage

0/7 · 0%

Product brand is missing or empty (neither a string nor an object with name)MEDIUM× 7
Emit brand as "Acme" (string) or {"@type":"Brand","name":"Acme"} (object).
Affected (7)

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILMEDIUM

HSTS policy carries the includeSubDomains directivehsts-include-subdomainsHSTS

Add includeSubDomains to your Strict-Transport-Security header

Why this matters: Without includeSubDomains, an HTTP subdomain (staging, mail, …) can be used to attack the apex's cookies.

RFC 6797 — HSTS `includeSubDomains` directive

−1.1impact

Findings (1)

Inspected the homepage Strict-Transport-Security header ("max-age=0") and the includeSubDomains directive is absent.

How: Parse the homepage Strict-Transport-Security header for the includeSubDomains directive (RFC 6797 §6.1.2).

HSTS header is missing the includeSubDomains directiveMEDIUM
/
What we found
```
max-age=0
```
What we expected
```
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
Append ; includeSubDomains to your STS header once every subdomain you operate supports HTTPS.

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILMEDIUM

Organization/OnlineStore JSON-LD with contactPoint on homepageorganization-jsonld-with-contactSchema.org

Add an Organization (or OnlineStore) JSON-LD block to your homepage with a contactPoint

Why this matters: Organization markup with a contactPoint tells AI agents who you are and how a shopper can reach you for support.

schema.org/Organization (and OnlineStore subclass) with contactPoint

−1impact

Findings (1)

Found a homepage Organization node but its contactPoint is missing both email and telephone.

How: Parse homepage <script type="application/ld+json"> blocks, flatten @graph, and look for an Organization/OnlineStore/Store node with a contactPoint carrying email or telephone.

Homepage Organization node has no contactPoint with email or telephoneMEDIUM
/
What we expected
```
"contactPoint": [{"@type":"ContactPoint","contactType":"customer service","email":"support@example.com","telephone":"+1-555-123-4567"}]
```
Add a contactPoint object with at least one of email or telephone.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILMEDIUM

Third-party review-platform integration detectedreview-app-detectedSchema.org

Install a third-party review platform so agents see syndicated reviews on your storefront

Why this matters: Third-party review widgets feed the ratings AI agents trust when ranking merchants.

schema.org/Review vocabulary

−0.9impact

Findings (1)

Scanned the homepage and 20 sampled PDPs for 8 review-platform asset fingerprints; none matched.

How: Substring scan of homepage and sampled PDP HTML for known review-platform asset fingerprints (judge.me, yotpo, stamped.io, reviews.io, okendo, loox, trustpilot, bazaarvoice).

No third-party review-platform integration detectedMEDIUM
none of 8 fingerprints matched across 21 sources
Install a Judge.me / Yotpo / Loox / Okendo / Stamped / Reviews.io / Trustpilot / Bazaarvoice widget on your storefront.

How to fix · 3 steps · create a free account to viewCreate a free account →

NAMEDIUM

MerchantReturnPolicy merchantReturnLink URL is reachablemerchant-return-link-reachableReturns

Skipped — No MerchantReturnPolicy node carried a `merchantReturnLink` URL, so reachability has nothing to evaluate.

Context: A broken return-link makes Option B policies invisible — agents can't render or follow the link.

Google return-policy SD — merchantReturnLink reachability

Not scoredimpact

Why this was skipped

No MerchantReturnPolicy node carried a merchantReturnLink URL, so reachability has nothing to evaluate.

How: Collect every unique merchantReturnLink URL across all MerchantReturnPolicy nodes; probe each once via politeFetch (failSoft). 2xx counts as reachable.

NAMEDIUM

Each capability has version + spec + schemaucp-capability-required-fieldsUCP

Skipped — Profile declares no capabilities; required-field checks have nothing to evaluate.

Context: Capabilities missing version/spec/schema can't be matched against agent support tables — agents skip them silently.

UCP overview — capabilities

Not scoredimpact

Why this was skipped

Profile declares no capabilities; required-field checks have nothing to evaluate.

How: For each capabilities[] entry, require non-empty string values for version, spec, and schema.

NAMEDIUM

Each service's `spec` URL origin matches its namespace authorityucp-service-spec-url-origin-matchesUCP

Skipped — No services declared a `spec` URL; origin matching has nothing to evaluate.

Context: A spec URL on an unrelated authority signals the service was copy-pasted from stale documentation — agents can't trust the conformance claim.

UCP overview — service specs

Not scoredimpact

Why this was skipped

No services declared a spec URL; origin matching has nothing to evaluate.

How: For each service with a spec URL, require the URL origin to be a canonical UCP authority OR the host/path to include the namespace token.

FAILLOW

HSTS policy carries the preload directivehsts-preload-directiveHSTS

Add preload to your Strict-Transport-Security header and submit to hstspreload.org

Why this matters: HSTS preload-list inclusion is the strongest downgrade protection available — first-time visits are protected too.

RFC 6797 — HSTS `preload` directive (vendor extension)

−0.3impact

Findings (1)

Inspected the homepage Strict-Transport-Security header ("max-age=0") and the preload directive is absent.

How: Parse the homepage Strict-Transport-Security header for the preload directive (hstspreload.org vendor extension to RFC 6797).

HSTS header is missing the preload directiveLOW
/
What we found
```
max-age=0
```
What we expected
```
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```
Append ; preload after includeSubDomains and submit your domain at https://hstspreload.org/.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILLOW

Product `aggregateRating` presentproduct-aggregate-rating-presentSchema.org

Add an AggregateRating to Product nodes when you have real reviews

Why this matters: Review ratings are a trust signal agents use to rank and filter products.

schema.org/AggregateRating

−0.2impact

Findings (6)

Looked for a valid aggregateRating on Product JSON-LD across 7 sampled product pages (1 valid, 14%).

How: On each Product node, parse aggregateRating (or the first element if it's an array) and require ratingValue in [0,5] AND reviewCount or ratingCount ≥ 1.

Coverage

1/7 · 14%

Product has no valid AggregateRating (ratingValue 0-5 + reviewCount/ratingCount ≥ 1)LOW× 6
Render aggregateRating from real review totals — never fabricate.
Affected (6)

How to fix · 2 steps · create a free account to viewCreate a free account →

FAILLOW

Alt text on at least 80% of PDP imagesimage-alt-text-coverageWCAG

Add descriptive alt text to product images (WCAG 2.x SC 1.1.1)

Why this matters: Alt text is the only text description AI agents and screen readers have for your product imagery.

WCAG 2.x SC 1.1.1 — Non-text Content

−0.2impact

Findings (11)

Parsed <img> alt attributes across 20 sampled product pages (4 have alt text on at least 80% of images).

How: Per PDP, count <img> tags via regex; a tag 'has alt text' when its alt attribute is present AND non-empty after trim. A PDP passes when it carries no <img> at all OR ≥80% of its <img> tags have non-empty alt.

Coverage

4/20 · 20%

Most images on this product page lack alt textLOW× 10
What we expected
```
<img src="/img/sneaker.webp" alt="Red leather running shoe, side view" />
```
Populate the alt attribute on each <img> with a description of what the image shows; use alt="" only for decorative images.
Affected (10)
- /the-year-of-st-joseph/st-joseph-gold-rim-lapel…15/19 <img> tags have non-empty alt (79%)
- /church-supplies/metalware/monstances-thabors/m…15/19 <img> tags have non-empty alt (79%)
- /church-supplies/gothic-chasuble-275215/19 <img> tags have non-empty alt (79%)
- /shop-religious-articles/gifts/inspirational-ar…15/19 <img> tags have non-empty alt (79%)
- /shop-religious-articles/jesus-with-the-childre…15/19 <img> tags have non-empty alt (79%)
- /church-supplies/candles-candle-fixtures/sanctu…15/19 <img> tags have non-empty alt (79%)
- /shop-religious-articles/literature-media/books…15/19 <img> tags have non-empty alt (79%)
- /shop-religious-articles/book-of-saints-picture…15/19 <img> tags have non-empty alt (79%)
- /gifts/inspirational-art-for-the-home/devotions…15/19 <img> tags have non-empty alt (79%)
- /shop-religious-articles/st-john-vianney-biogra…15/19 <img> tags have non-empty alt (79%)

…and 1 more

How to fix · 3 steps · create a free account to viewCreate a free account →

NALOW

UCP MCP-transport entries have valid HTTPS endpointsucp-mcp-transport-validUCP

Skipped — Walked services[] for `transport: "mcp"` entries; none advertised.

Context: If you advertise MCP transport, agents will try to connect — broken or non-HTTPS endpoints fail silently and lose the integration.

UCP overview — transport declarations

Not scoredimpact

Why this was skipped

Walked services[] for transport: "mcp" entries; none advertised.

How: Filter services[] to entries where transport=mcp and validate that endpoint is an absolute https:// URL.

FAILINFO

Apple Pay markers detected (informational)apple-pay-detectedSchema.org

Enable Apple Pay through your payment processor (informational only)

Why this matters: Apple Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.

Apple Pay availability — payment options observed

No score impactimpact

Findings (1)

Scanned the homepage and 20 sampled PDPs for Apple Pay markers; none matched.

How: Substring match on known Apple Pay SDK/markup signatures (ApplePaySession, apple-pay-button, /apple-developer-merchantid-domain-association) across the homepage and every sampled PDP HTML.

No Apple Pay markers detected on the homepage or PDPsINFO
/
Enable Apple Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

How to fix · 3 steps · create a free account to viewCreate a free account →

FAILINFO

Google Pay markers detected (informational)google-pay-detectedSchema.org

Enable Google Pay through your payment processor (informational only)

Why this matters: Google Pay is a checkout-quality signal for human shoppers — informational only, does not affect the agent-readiness score.

Google Pay availability — payment options observed

No score impactimpact

Findings (1)

Scanned the homepage and 20 sampled PDPs for Google Pay markers; none matched.

How: Substring match on known Google Pay SDK/markup signatures (pay.google.com/gp/p/js/pay.js, google.payments.api, <google-pay-button) across the homepage and every sampled PDP HTML.

No Google Pay markers detected on the homepage or PDPsINFO
/
Enable Google Pay in your payment processor's dashboard (Stripe / Adyen / Braintree). Informational only — does not affect the score.

How to fix · 3 steps · create a free account to viewCreate a free account →

NAINFO

llms.txt present (informational)llms-txt-presentllms.txt

Skipped — Looked for /llms.txt at the site root; the fetcher returned no file.

Context: An /llms.txt manifest points agents at your feed and key pages without them having to guess.

llmstxt.org — /llms.txt manifest

Not scoredimpact

Why this was skipped

Looked for /llms.txt at the site root; the fetcher returned no file.

How: Check whether the fetcher reached an /llms.txt at the site root. Informational only — no failure path per llmstxt.org being a voluntary community convention.

15 failing · 6 not checked · 21 shown