AI Readiness Checklist for Websites

DNS Verification

Add a DNS TXT record to prove you own the domain. This is the foundational identity check — without it, anyone could claim to represent your website. AI-Signed provides a unique token to add as a TXT record at your registrar.

WHOIS Transparency

Public WHOIS registrant information adds transparency. While privacy protection is common, sites with identifiable registration details score higher in trust assessments. Consider using organizational registration rather than personal privacy masking.

Organization Consistency

Your email domain should match your website domain. Sending from contact@yourdomain.com is far more trustworthy than a generic Gmail or Yahoo address. Consistent organizational identity across web presence, email, and payment information signals legitimacy.

Payment Verification

An active subscription (processed through a verified payment method) adds another layer of identity confirmation. It proves a real financial entity stands behind the site.

SSL/TLS Certificate

A valid SSL certificate from a trusted certificate authority is non-negotiable. Let's Encrypt provides free certificates with automated renewal. AI-Signed checks certificate validity, expiration date, issuer trust, TLS version (1.2+ required), and cipher strength (256-bit AES-GCM recommended).

HTTPS Enforcement

Every HTTP request must redirect to HTTPS (301 redirect). No exceptions. Mixed content — loading any resource (images, scripts, stylesheets) over HTTP on an HTTPS page — also triggers a failure.

Security Headers

Six security headers are evaluated individually, each protecting against a specific class of attack:

• Strict-Transport-Security (HSTS) — Forces HTTPS connections, prevents downgrade attacks. Set max-age to at least 31536000 (1 year).
• Content-Security-Policy (CSP) — Prevents XSS and injection attacks by controlling which resources can load.
• X-Frame-Options — Prevents clickjacking by blocking your site from being embedded in iframes. Set to SAMEORIGIN.
• X-Content-Type-Options — Prevents MIME-type sniffing. Set to nosniff.
• Referrer-Policy — Controls how much referrer information is sent with requests. Set to strict-origin-when-cross-origin.
• Permissions-Policy — Restricts which browser features (camera, microphone, geolocation) can be accessed.

DNS Hardening

DNSSEC (Domain Name System Security Extensions) protects against DNS spoofing and cache poisoning. CAA (Certificate Authority Authorization) records restrict which CAs can issue certificates for your domain. Both are enabled at your domain registrar.

Email Authentication

SPF, DKIM, and DMARC records authenticate your email and prevent spoofing. SPF declares which servers can send email from your domain. DKIM adds a cryptographic signature. DMARC specifies what to do with messages that fail SPF/DKIM checks (set p=reject for maximum protection).

Server Configuration

Strip version information from your Server header (e.g., don't expose "nginx/1.24.0" or "Apache/2.4.57"). Ensure your server responds with a 200 status on the homepage, demonstrating the site is operational and serving content correctly.

Performance

Server response time under 500ms, gzip/brotli compression enabled, and proper Cache-Control/ETag headers on static assets. Fast, well-cached sites signal professional maintenance and improve both user experience and crawl efficiency.

Privacy Policy

A visible, accessible privacy policy is both a legal requirement in many jurisdictions and a baseline trust signal. It should be linked from your footer or navigation. AI-Signed checks for a /privacy page or a clearly linked privacy policy.

Terms of Service

Similar to the privacy policy, terms of service demonstrate that a site operates under defined rules and expectations. This signals maturity and accountability.

Contact Information

A visible contact page or contact details (email, phone, address) demonstrates that there are real people behind the site who can be reached. Sites without any contact information are significantly less likely to be recommended by AI systems.

Meta Description

A well-written meta description tag on your homepage tells search engines and AI models what your site is about before they read a single word of body content. Keep it under 160 characters, factual, and keyword-relevant.

Content Quality

Key pages should contain at least 300 words of meaningful content. Thin content — pages with just a few sentences, placeholder text, or mostly navigation — signals a site that is either incomplete or not maintained. Quality content with proper heading structure, paragraphs, and supporting detail builds authority.

Favicon and Branding

A favicon may seem minor, but its absence is a consistent indicator of incomplete or amateur site setup. It's the web equivalent of not having a sign on your business.

No Mixed Content

Every resource on every page — images, scripts, stylesheets, fonts — must load over HTTPS. A single HTTP resource on an HTTPS page creates a "mixed content" warning that undermines the entire security posture of the site.

Domain Age

Older domains are inherently more trusted. A domain registered 10 years ago is far less likely to be a scam than one registered last week. If your domain is new, this check will score lower naturally — focus on excelling in other categories to compensate.

Google Safe Browsing

Google maintains a constantly updated database of sites flagged for malware, phishing, or social engineering. Being flagged is catastrophic for trust — both search engines and AI systems will immediately deprioritize or block your site. Monitor your status regularly.

Abuse Contact

Your registrar should publish an abuse contact in RDAP/WHOIS records. This signals that the domain is managed by a responsible entity that can be reached for legitimate complaints.

No Suspicious Redirects

Your domain should not redirect visitors to unrelated external sites. Redirect chains — especially across different domains — are a hallmark of compromised or deceptive sites and will tank your trust score.

robots.txt (AI Crawlers)

Your robots.txt must allow major AI crawlers — GPTBot (OpenAI), ClaudeBot (Anthropic), PerplexityBot, and others — to access your content. Many sites block these by default without realizing it, making themselves invisible to AI-powered discovery.

Sitemap.xml

A valid sitemap helps AI crawlers (and search engines) discover your pages efficiently. Include all public pages, set appropriate changeFrequency and priority values, and reference it from your robots.txt.

llms.txt

A plain-text file at /llms.txt that describes your site in structured Markdown format. This is the most direct way to communicate with AI models about who you are and what you offer. Read our full guide on llms.txt.

Structured Data (JSON-LD)

Schema.org structured data and Open Graph tags provide machine-readable context about your content. At minimum, implement Organization and WebSite schemas. Add relevant content types (Product, Article, FAQPage) based on your page content.

ai-plugin.json

A manifest file at /.well-known/ai-plugin.json that describes your site for AI agent platforms. Originally designed for ChatGPT plugins, this format is now recognized by multiple AI systems as a standard for declaring AI agent compatibility.

security.txt

A standardized file at /.well-known/security.txt that provides security contact information. Defined by RFC 9116, it tells AI systems and security researchers how to report vulnerabilities — a signal of professional security practices.

API Documentation

For sites with developer-facing services, an OpenAPI specification at /openapi.json or /docs provides machine-readable API documentation. AI agents use this to understand how to interact with your services programmatically.