Skip to content
Deploylint Alpha

Check catalog

What Deploylint checks, and why

This website catalog is the shared source of truth behind report explanations. It currently documents 51 high-signal checks first: launch blockers, security headers, exposed deployment surfaces, CVEs, service readiness, SEO, social previews, AI discoverability, and app polish that developers can act on.

p0

Launch blockers

Checks that can make a launch unsafe, invisible, unreachable, or legally risky.

Env committed

env-committed

Why this matters

Committed env files turn private configuration into repository history. Even after deletion, old commits can keep secrets recoverable.

Detection

Public GitHub repo scans sample repository files and flag committed .env-style files outside safe examples.

Might be okay if

An intentionally empty .env.example is fine; real .env files with values should never be committed.

Exposed env

exposed-env

Why this matters

A public dotenv file usually means live credentials are downloadable by anyone. Treat every value in it as compromised.

Detection

Probes common same-origin dotenv paths such as /.env and checks whether they return reachable secret-like content.

Might be okay if

A honeypot or empty placeholder file can still be confusing to scanners and attackers; remove it from the public web root.

Exposed git

exposed-git

Why this matters

An exposed .git directory can reveal source code, commit history, and secrets that were removed from the current working tree.

Detection

Probes same-origin /.git/HEAD and related metadata paths for public reachability.

Might be okay if

Rarely intentional. If this is a static decoy, block it anyway so automated exploit tooling does not treat the host as vulnerable.

Fetch

fetch

Why this matters

If Deploylint cannot fetch the target, it cannot judge SEO, legal, social preview, security headers, or app readiness with confidence.

Detection

Runs the initial public fetch for the submitted URL and records network failures or blocked scanner responses.

Might be okay if

Bot-protected enterprise sites may block scanners intentionally. For your own launch, test a staging URL that allows automated fetches.

Form security

form-security

Why this matters

Insecure forms can leak credentials or personal data, especially when HTTPS pages submit to HTTP endpoints or password fields appear on HTTP pages.

Detection

Scans rendered HTML forms for insecure actions and password fields on non-HTTPS pages.

Might be okay if

Static demo forms can still scare browsers and users; remove them or make the action relative/HTTPS before launch.

HTTPS

https

Why this matters

HTTPS is table stakes for launches: browsers, auth cookies, payments, forms, and search trust all assume transport encryption.

Detection

Checks whether the final scanned URL is served over https:// after redirects.

Might be okay if

Local development and private preview tunnels may use HTTP, but public launch URLs should not.

Noindex

noindex

Why this matters

A noindex homepage can make a launched product invisible to search engines even when the rest of the launch looks ready.

Detection

Checks rendered homepage HTML for a robots meta tag containing noindex.

Might be okay if

Staging or private preview URLs should often be noindex; the public production URL should not.

Privacy

privacy

Why this matters

A missing privacy policy is a trust and compliance blocker when collecting emails, analytics data, payments, or user accounts.

Detection

Extracts same-page links and crawled legal pages looking for privacy-policy style destinations and usable content.

Might be okay if

Some apps host legal pages on a separate domain; link it clearly in the footer so users and scanners can find it.

Reachable

reachable

Why this matters

A launch URL must return a usable page. If the homepage errors, every downstream SEO, trust, and conversion signal is unreliable.

Detection

Fetches the submitted URL, follows redirects, and records the final HTTP status and URL.

Might be okay if

Scanner-blocking WAF rules can cause this even when browsers work; allow Deploylint or scan a staging URL you control.

Robots block

robots-block

Why this matters

A robots.txt file that blocks all crawlers can hide a public launch from Google, Bing, AI crawlers, and link preview systems.

Detection

Fetches robots.txt and checks for broad Disallow rules that block public crawling.

Might be okay if

Private staging hosts should block crawlers; production marketing pages usually should not.

Secrets

secrets

Why this matters

Secrets in HTML, JavaScript, or source maps are already public. They can be copied, abused, indexed, and replayed after launch.

Detection

Scans homepage HTML, crawled page HTML, sampled JavaScript, and source-map content for common secret/token patterns.

Might be okay if

Placeholder values can look secret-like; replace them with obvious examples such as YOUR_API_KEY in documentation snippets.

p1

Important issues

Checks that can hurt trust, security posture, SEO, or conversion during a real launch.

Clarity

clarity

Why this matters

Launch pages need an immediately understandable title, description, and headline so visitors, search engines, and AI tools know what is being offered.

Detection

Scores the title, meta description, and H1 for basic length and presence signals that indicate clear positioning.

Might be okay if

Experimental copy can be intentionally short or mysterious, but paid acquisition and search traffic usually need plain positioning.

Description

description

Why this matters

A useful meta description improves search snippets, share previews, and AI summaries by giving crawlers a concise description of the page.

Detection

Reads the homepage meta description and checks whether it is present with enough substance to summarize the product.

Might be okay if

Some search engines rewrite descriptions, but missing or thin descriptions still leave crawlers with weaker source material.

HSTS header

hsts-header

Why this matters

HSTS tells browsers to keep using HTTPS after the first secure visit, reducing downgrade and cookie-stripping risk.

Detection

Checks the Strict-Transport-Security header on HTTPS responses.

Might be okay if

Only enable includeSubDomains after every subdomain is HTTPS-ready; a missing HSTS header is still worth fixing for production apps.

Og image live

og-image-live

Why this matters

Broken Open Graph images make product links look unfinished in chat apps, social feeds, and launch communities.

Detection

Fetches the declared og:image URL and records whether the asset responds successfully.

Might be okay if

Some platforms generate images at request time; make sure bots and anonymous requests can still fetch the final image.

Og image type

og-image-type

Why this matters

Share preview images must return an actual image content type or link unfurlers may display a blank or broken card.

Detection

Checks the fetched og:image response content type and warns when it looks like HTML or another non-image fallback.

Might be okay if

Edge image services can vary headers, but social preview bots need a stable image response.

Open graph

open-graph

Why this matters

Open Graph tags control how the product appears when shared in Slack, Discord, LinkedIn, X, and many AI/browser previews.

Detection

Checks for the core og:title, og:description, and og:image tags in rendered homepage HTML.

Might be okay if

Some private dashboards do not need rich previews; public marketing pages almost always do.

Title

title

Why this matters

The page title is the strongest basic search snippet signal and often the first text users see in tabs, results, and shared links.

Detection

Reads the resolved title from rendered homepage HTML and checks that it exists with a useful length.

Might be okay if

Single-purpose tools can use short titles, but missing or generic titles make the site look unfinished.

Twitter card

twitter-card

Why this matters

X/Twitter card tags improve link previews on X and other consumers that still read twitter:* metadata.

Detection

Checks for twitter:card and verifies summary_large_image pages have a usable twitter:image or og:image.

Might be okay if

Open Graph often covers many platforms, but adding twitter:card removes ambiguity for X previews.

Viewport

viewport

Why this matters

A mobile viewport tag prevents desktop-width layouts on phones and is a basic requirement for a launch page that works on mobile.

Detection

Checks rendered homepage HTML for a viewport meta tag.

Might be okay if

Non-visual API endpoints do not need a viewport; public websites and app shells do.

p2

Polish and readiness

Checks that make the product feel more complete and easier to operate.

AI client API

ai-client-api

Why this matters

Client-side AI API calls often turn into leaked provider keys, runaway spend, and no abuse controls. Launch apps should proxy AI calls through a server boundary.

Detection

Looks for OpenAI, Anthropic, Replicate, or Hugging Face API/provider signatures in rendered homepage or crawled page HTML.

Might be okay if

This can be okay if the page only contains public docs links or the actual provider call is authenticated through your own server endpoint.

AI crawlers

ai-crawlers

Why this matters

AI crawler access now affects whether products appear in answer engines, research tools, and assistant-generated recommendations.

Detection

Fetches robots.txt and evaluates known AI crawlers such as GPTBot, ClaudeBot, PerplexityBot, Google-Extended, and CCBot.

Might be okay if

Blocking AI crawlers can be intentional for private products or licensing reasons; public marketing sites should make that choice deliberately.

Answer signals

answer-signals

Why this matters

Clear summaries help search engines and AI assistants quote the product accurately instead of inventing a vague description from scattered copy.

Detection

Looks for a usable meta description, FAQ structured data, or concise text near the primary H1 that can act as a citable product summary.

Might be okay if

Minimal landing pages may be intentionally terse, but they still need one plain-language sentence explaining what the product does.

Auth provider

auth-provider

Why this matters

Auth is a launch-critical boundary: bad redirect URLs, wrong production keys, or loose sessions can lock users out or expose account data.

Detection

Looks for Clerk, Auth0, or WorkOS browser/package signatures in rendered homepage or crawled page HTML.

Might be okay if

Marketing-only pages may load auth widgets for signup buttons even when the protected app lives on another subdomain.

Canonical

canonical

Why this matters

Canonical URLs keep duplicate homepage variants from splitting ranking signals, previews, analytics, and search-result attribution.

Detection

Reads the canonical link tag and compares it with the final scanned URL after redirects and trailing-slash normalization.

Might be okay if

Canonicalizing to another URL can be correct for mirrors or regional pages, but the target should be intentional and reachable.

Charset meta

charset-meta

Why this matters

A declared UTF-8 charset prevents mojibake in search snippets, social previews, and browsers that guess encoding from partial content.

Detection

Checks rendered HTML for a UTF-8 charset declaration in the document head.

Might be okay if

Servers can declare charset in Content-Type, but an in-document declaration is cheap insurance for static and cached pages.

Clickjack header

clickjack-header

Why this matters

Clickjacking protections stop other sites from framing your app and tricking users into clicking destructive or account-changing UI.

Detection

Checks for X-Frame-Options or a Content-Security-Policy frame-ancestors directive on HTTPS responses.

Might be okay if

Embedding may be intentional for widgets or dashboards; frame-ancestors should explicitly allow only trusted parent origins.

CSP header

csp-header

Why this matters

A Content Security Policy reduces the blast radius of XSS by limiting which scripts, frames, images, and network targets the page can use.

Detection

Checks whether the HTTPS response includes a Content-Security-Policy header.

Might be okay if

Add a report-only policy first if the product is changing quickly and immediate enforcement would be risky.

Dependency vulns

dependency-vulns

Why this matters

Known vulnerable dependencies are one of the fastest ways for a launch to inherit public CVEs before the product has any operational maturity.

Detection

Parses supported lockfiles from public GitHub repositories and queries OSV for package/version advisories.

Might be okay if

Some advisories affect only unused code paths; keep the finding visible until the package is upgraded, removed, or the advisory is explicitly not applicable.

Duplicate meta

duplicate-meta

Why this matters

Duplicate titles and descriptions make crawled pages compete with each other and create bland search results that users cannot distinguish.

Detection

Compares homepage title and description with crawled internal pages to find repeated title-plus-description pairs.

Might be okay if

Small one-page sites may have few unique pages; once multiple routes exist, each important page should explain its distinct purpose.

Error monitoring

error-monitoring

Why this matters

Production error monitoring turns launch failures into visible alerts instead of silent user churn. It is a positive readiness signal, not just a vendor chip.

Detection

Looks for Sentry or LogRocket browser signatures in rendered homepage or crawled page HTML.

Might be okay if

The script can be present but misconfigured; verify a test exception reaches the production project before relying on it.

H1

h1

Why this matters

A single clear H1 gives visitors, assistive technology, and search crawlers the primary topic of the page without guessing.

Detection

Counts rendered homepage H1 elements and warns when the page has none or multiple competing primary headings.

Might be okay if

Complex documentation pages can use multiple prominent headings, but a launch homepage should usually have one primary H1.

Heading order

heading-order

Why this matters

Sequential headings create a readable document outline for search crawlers, AI extraction, and screen reader navigation.

Detection

Parses rendered heading tags and warns when levels skip, such as moving from H1 directly to H3.

Might be okay if

Visually styled headings can use non-heading elements; semantic heading levels should still describe the content hierarchy.

Health endpoint

health-endpoint

Why this matters

Apps with payments, auth, backend data, or AI calls need a simple uptime signal so deploys and monitors can tell broken from healthy.

Detection

For SaaS-like apps, probes common readiness paths such as /health, /healthz, /api/health, and /status.

Might be okay if

Some static marketing sites do not need a health endpoint; Deploylint only asks for one when app/service signals are detected.

Hreflang

hreflang

Why this matters

hreflang annotations help search engines serve the right localized page and avoid treating regional variants as duplicate content.

Detection

Reads alternate link tags with hreflang values and validates language codes plus x-default coverage when multiple locales exist.

Might be okay if

Single-language sites do not need hreflang; the check appears only when hreflang tags are present.

Json ld

json-ld

Why this matters

Structured data gives search engines and AI tools explicit facts about the product, organization, page type, and rich-result eligibility.

Detection

Looks for JSON-LD script blocks in the rendered homepage, such as WebSite, Product, Organization, or FAQ schema.

Might be okay if

Not every page needs structured data, but product and landing pages usually benefit from at least WebSite or Product schema.

Lang

lang

Why this matters

The html lang attribute helps browsers, assistive technology, translation tools, and crawlers interpret the page language correctly.

Detection

Checks the rendered html element for a non-empty lang attribute.

Might be okay if

Language can sometimes be inferred, but explicit language metadata is low-cost and improves accessibility and indexing.

Lemon squeezy

lemon-squeezy

Why this matters

Lemon Squeezy can handle checkout quickly, but launch readiness depends on webhook fulfillment, license delivery, and subscription state changes.

Detection

Looks for Lemon Squeezy script, asset, or domain signatures in rendered homepage or crawled pricing page HTML.

Might be okay if

Checkout links can be present before the product is live; verify the actual variant, fulfillment, and webhook flow in the dashboard.

Llms txt

llms-txt

Why this matters

llms.txt can give AI assistants a concise, canonical map of what the product is, where docs live, and which pages matter most.

Detection

Probes the site root for /llms.txt and checks whether the file responds with usable content.

Might be okay if

This is still an emerging convention, but it is a simple discoverability upgrade for developer-facing products.

Meta keywords

meta-keywords

Why this matters

Meta keywords are obsolete for modern search and can leak keyword strategy without improving ranking or discoverability.

Detection

Scans rendered HTML for a meta keywords tag on the homepage.

Might be okay if

Legacy CMS templates may emit it automatically; removing it is usually cleaner than maintaining it.

MIME sniff header

mime-sniff-header

Why this matters

MIME sniffing protection helps browsers avoid treating files as executable content when the server sends an unexpected content type.

Detection

Checks for X-Content-Type-Options: nosniff on HTTPS responses.

Might be okay if

Some legacy asset pipelines omit this header; add it at the edge or framework middleware rather than per route.

Og site name

og-site-name

Why this matters

og:site_name gives link previews and AI summaries a clean product attribution instead of falling back to a raw domain.

Detection

When Open Graph tags are present, checks whether og:site_name is also declared.

Might be okay if

Some single-page brands rely on og:title alone, but site_name is useful when pages are shared out of context.

Og url match

og-url-match

Why this matters

A mismatched og:url can send shares, previews, and crawler attribution to the wrong canonical page.

Detection

Reads og:url from rendered HTML and compares its origin and path with the final scanned page URL.

Might be okay if

Campaign pages may intentionally canonicalize shares to a main landing page; the destination should be deliberate.

Paddle

paddle

Why this matters

Paddle can be merchant-of-record infrastructure, but real payments still need product setup, tax settings, webhook validation, and fulfillment tests.

Detection

Looks for Paddle checkout script, billing, or domain signatures in rendered homepage or crawled pricing page HTML.

Might be okay if

A docs link to Paddle can trigger detection if it includes Paddle checkout-like script names; verify the page actually loads checkout code.

Permissions policy header

permissions-policy-header

Why this matters

Permissions-Policy narrows browser capabilities such as camera, microphone, geolocation, and payment APIs before any injected code can ask for them.

Detection

Checks whether the HTTPS response includes a Permissions-Policy header.

Might be okay if

Apps that intentionally use device features should explicitly allow only the needed features and trusted origins.

Referrer header

referrer-header

Why this matters

Referrer-Policy prevents sensitive paths, query strings, and campaign data from leaking to third-party sites through the Referer header.

Detection

Checks whether the HTTPS response includes a Referrer-Policy header.

Might be okay if

Analytics-heavy sites may choose a less strict policy, but the choice should be deliberate and documented.

Semantic html

semantic-html

Why this matters

Semantic HTML gives crawlers, AI extractors, and assistive technology real structure instead of a wall of anonymous divs.

Detection

Counts semantic landmarks, sections, headings, and div-heavy markup patterns in rendered page HTML.

Might be okay if

Small pages with very little markup may not need many landmarks, but larger pages should expose meaningful structure.

Sitemap

sitemap

Why this matters

A sitemap helps crawlers discover important pages quickly and exposes broken published URLs before they waste crawl budget.

Detection

Fetches /sitemap.xml and, when available, samples listed URLs for reachability.

Might be okay if

Very small one-page sites can be discovered without a sitemap, but it is still a low-effort launch polish item.

Text ratio

text-ratio

Why this matters

Pages with almost no readable text in the HTML are harder for search engines and AI crawlers to understand before client JavaScript runs.

Detection

Compares visible text extracted from rendered HTML against total HTML bytes when the page is large enough to evaluate.

Might be okay if

Highly interactive apps may intentionally render little public content, but marketing pages should server-render the core pitch.

Title brand dupe

title-brand-dupe

Why this matters

Repeating the same brand phrase around separators wastes limited title space and weakens the search-result pitch.

Detection

Splits the page title on common separators and warns when every segment repeats the same text.

Might be okay if

Some brand systems intentionally repeat names, but search titles should usually spend characters on the product category or benefit.

Web manifest

web-manifest

Why this matters

A web app manifest is a small polish signal for mobile installability, app icons, theme color, and a product that feels finished.

Detection

Checks for a <link rel="manifest"> tag in the rendered homepage HTML.

Might be okay if

Pure documentation or API-only sites may not need installability, but most app launches benefit from the polish.