/ / d / shopify.com
shopify.com
64 / 100
overall · band: medium
Categories
Security52/ 100 · 9 measured
Performance60/ 100 · 9 measured
SEO38/ 100 · 8 measured
AI-readiness66/ 100 · 4 measured
Privacy55/ 100 · 6 measured
Accessibility80/ 100 · 6 measured
Brand presence49/ 100 · 17 measured
Email health75/ 100 · 16 measured
Site facts
- Snapshot date
- 2026-04-26
- Factors scored
- 75 / 86
- Composite score
- 64/100
- Method version
- v0.1 — 2026-04-25
Security· 52/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | fail | 35 | security_headers_score=35, missing=Content-Security-Policy|X-Frame-Options|Referrer-Policy|Permissions-Policy|X-XSS-Protection |
| 5 | SSL certificate validity & expiration window | n/a | — | Scoring not yet implemented |
| 6 | WordPress REST API user enumeration exposure | pass | 100 | not_wordpress |
| 7 | Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php) | pass | 100 | total_checked=6 |
| 22 | DNSSEC validation | fail | 0 | ds_present=false, ad_bit=false |
| 23 | CAA records | fail | 0 | has_issue=false, has_iodef=false |
| 26 | HSTS preload list inclusion | fail | 30 | hsts_header=max-age=15552000; includeSubDomains; preload, preload_status=rejected |
| 27 | TLS minimum version & cipher suite quality | pass | 100 | status=READY, worst=A |
| 28 | Subdomain takeover surface | pass | 100 | findings={"subdomain":"api.shopify.com","cname":"cname.shopify.com.","dangling":false}|{"subdomain":"app.shopify.com","cname":"core-misc.tm.shopifysvc.com.","dangling":false}|{"subdomain":"mail.shopify.com","cname":"ghs.googlehosted.com.","dangling"… |
| 29 | Spam / phishing blocklist presence | fail | 0 | listed=true, response_code=0, answers=127.255.255.254 |
Performance· 60/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 8 | Mobile PageSpeed score + Core Web Vitals (LCP, FCP, CLS) | warn | 51 | performance_score=42, lcp_ms=5881.503209609646, cls=0.023876, components={"perf":42,"lcp":30,"cls":100} |
| 9 | HTTP/2 support | pass | 100 | perf_http2=true |
| 10 | Compression (Brotli / gzip) | pass | 100 | perf_compression=br |
| 30 | HTTP/3 support | fail | 0 | supports_h3=false |
| 31 | IPv6 support | fail | 0 | aaaa_count=0 |
| 32 | Image optimization (WebP/AVIF) | warn | 70 | id=image-delivery-insight, lighthouse_score=0.5, displayValue=Est savings of 91 KiB |
| 33 | Desktop PageSpeed score | n/a | — | Scoring not yet implemented |
| 34 | Core Web Vitals from CrUX (Real User Monitoring) | n/a | — | Scoring not yet implemented |
| 35 | Lazy loading on below-fold images | fail | 40 | id=image-delivery-insight, lighthouse_score=0.5, displayValue=Est savings of 91 KiB |
| 36 | Font loading strategy (FOUT/FOIT/swap) | pass | 100 | id=font-display-insight, lighthouse_score=1 |
| 37 | Total homepage byte weight | pass | 80 | html_bytes=513376, subresource_bytes=0, total_bytes=513376, total_kb=501, sampled=0, total_refs=0 |
| 38 | Largest unused JavaScript bundle | n/a | — | Scoring not yet implemented |
SEO· 38/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 11 | Title, meta description, OG, Twitter cards, canonical | pass | 100 | title=true, description=true, og=true, twitter=true, canonical=true |
| 12 | Schema.org structured data presence | fail | 0 | structured_data_absent |
| 13 | H1 tag presence | fail | 0 | h1_count=0 |
| 14 | Sitemap.xml + robots.txt presence | pass | 100 | has_robots_txt=true, has_sitemap=true |
| 39 | Schema.org type validity (parsed JSON-LD) | n/a | — | Scoring not yet implemented |
| 40 | Breadcrumb schema | fail | 0 | present=false |
| 41 | FAQ / HowTo schema (where applicable) | n/a | — | n/a — not_applicable |
| 42 | hreflang for multi-language sites | fail | 0 | html_lang=en, languages_seen=en|ar|bg|fi|fr|de|hu|id|it|nl|no|pl|pt|ro|th|tr|uk|es|zh, alternates=0 |
| 43 | Internal link depth (clicks from homepage to deepest content) | pass | 100 | max_depth=1, pages_fetched=50, pages_seen=247, capped_at=50 |
| 61 | Better Business Bureau accreditation | fail | 0 | no_link_on_site |
AI-readiness· 66/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 15 | llms.txt presence | pass | 100 | has_llms_txt=true, size_bytes=861 |
| 16 | AI crawler robots.txt directives | pass | 100 | robots_ai_blocked_count=0 |
| 44 | AI plugin manifest (.well-known/ai-plugin.json) | fail | 0 | status=404 |
| 45 | JSON-LD richness score for LLMs | warn | 62 | org_complete=true, has_address=false, has_contact_point=true, has_same_as=true, has_content_type=false, breakdown={"coreOrg":25,"contact":12,"sameAs":25,"contentType":0} |
Privacy· 55/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 46 | Cookie banner presence + CMP detection | warn | 50 | banner_detected=true |
| 47 | Privacy policy page presence | pass | 100 | found=true, href=/legal/privacy, text=Privacy Policy |
| 48 | Terms of service page presence | pass | 100 | found=true, href=/legal/terms, text=Terms of Service |
| 49 | Third-party tracker count | pass | 80 | count=1, hosts=googletagmanager.com |
| 50 | CCPA "Do Not Sell or Share My Personal Information" link | fail | 0 | found=false |
| 51 | Cookie scan — actual cookies set on first load | fail | 0 | count=3, names=_shopify_essential_|_shopify_s|_shopify_y, with_cmp=false |
Accessibility· 80/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 52 | Accessibility statement page | fail | 0 | found=false |
| 53 | axe-core / WAVE accessibility scan | pass | 90 | accessibility_category=0.9 |
| 54 | Image alt text coverage | pass | 100 | lighthouse_score=1, failing_count=0 |
| 55 | Heading hierarchy validity | pass | 100 | lighthouse_score=1 |
| 56 | Color contrast (WCAG AA) | pass | 100 | lighthouse_score=1, failing_count=0 |
| 57 | ARIA labels presence and validity | pass | 92 | total_aria_audits=22, applicable=12, passing=11, failing=aria-prohibited-attr |
| 58 | Skip-to-content link | n/a | — | Scoring not yet implemented |
Brand presence· 49/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 17 | Domain age (RDAP / WHOIS) | pass | 100 | domain_age_years=21.1 |
| 18 | Wayback Machine site age & last snapshot | n/a | — | Scoring not yet implemented |
| 19 | Google Business Profile presence + rating | fail | 0 | found=false |
| 20 | News mentions in last 30 days | pass | 85 | news_mentions_count=20 |
| 21 | Wikipedia entity | pass | 100 | found=true, title=Shopify, url=https://en.wikipedia.org/wiki/Shopify |
| 59 | Yelp presence + rating + review count | fail | 0 | no_link_on_site |
| 60 | Trustpilot presence + rating | fail | 0 | no_link_on_site |
| 62 | LinkedIn Company Page (presence + employee count + follower count) | pass | 100 | url=https://www.linkedin.com/company/shopify |
| 63 | Bing Places | n/a | — | n/a — no_public_url_convention |
| 64 | Apple Maps presence (Apple Business Connect) | fail | 0 | no_link_on_site |
| 65 | Facebook Page presence | pass | 100 | url=https://www.facebook.com/shopify, live=true |
| 66 | Instagram presence (link from site → IG profile) | pass | 100 | url=https://www.instagram.com/shopify/ |
| 67 | Web App Manifest (manifest.json) | n/a | — | Scoring not yet implemented |
| 68 | Service Worker / PWA capability | n/a | — | Scoring not yet implemented |
| 69 | Analytics tools detected | fail | 0 | count=0 |
| 70 | Payment processors detected | pass | 100 | tools=Shopify Pay, count=1 |
| 71 | Marketing automation tools detected | fail | 0 | count=0 |
| 72 | Customer support tools detected | fail | 0 | count=0 |
| 73 | Tag manager presence | warn | 50 | count=0 |
| 74 | Ad networks detected | pass | 100 | count=0 |
| 83 | Visible contact form on site | fail | 0 | detected=false, count=0 |
Email health· 75/100
| # | Factor | Verdict | Score | Evidence |
|---|---|---|---|---|
| 1 | DMARC enforcement | pass | 100 | present=true, policy=reject |
| 2 | DKIM signing | pass | 100 | present=true, selector=google, source=doh_probe |
| 3 | SPF record present and valid | pass | 100 | present=true, raw="v=spf1 include:_spf.google.com include:mail.zendesk.com include:sendgrid.net ~all", qualifier=softfail |
| 24 | MTA-STS & TLS-RPT | fail | 0 | policy_ok=false |
| 25 | BIMI + VMC | pass | 100 | record=v=BIMI1; l=https://vmc.digicert.com/8833b699-1227-41ee-b185-cc2d9a08e213.svg; a=https://vmc.digicert.com/8833b699-1227-41ee-b185-cc2d9a08e213.pem;, logo_url=https://vmc.digicert.com/8833b699-1227-41ee-b185-cc2d9a08e213.svg, vmc_url=https://vm… |
| 75 | Branded domain email address (vs free Gmail/Yahoo) | pass | 100 | branded=true, provider=google |
| 76 | Email provider class (Workspace / 365 / Zoho / self-hosted / shared) | pass | 100 | provider=google |
| 77 | DMARC aggregate reporting enabled (rua=) | pass | 100 | has_dmarc_reporting=true, audit_flag=true, derived_from_raw=true, source=derived_from_raw, dmarc_raw="v=DMARC1; p=reject; pct=100; fo=1; rua=mailto:dmarc-aggregate@shopify.com;ruf=mailto:dmarc-reports@shopify.com" |
| 78 | Free-email exposure on contact page (gmail/yahoo/outlook visible) | pass | 100 | Scored |
| 79 | Newsletter signup form detected | fail | 0 | detected=false |
| 80 | Email Service Provider (ESP) detected | fail | 0 | Scored |
| 81 | Transactional email provider detected (from SPF includes) | pass | 100 | providers=Zendesk|SendGrid |
| 82 | SPF lookup count (10-limit deliverability check) | pass | 100 | lookups=4, limit=10 |
| 84 | Mailto: direct contact link present | fail | 0 | Scored |
| 85 | Email forwarding service detected (improvmx, forwardemail, etc.) | pass | 100 | hosts=aspmx.l.google.com|alt3.aspmx.l.google.com|alt4.aspmx.l.google.com|alt1.aspmx.l.google.com|alt2.aspmx.l.google.com, provider=Google Workspace, kind=branded |
| 86 | Lead magnet / signup incentive detected (free download, ebook, etc.) | pass | 100 | detected=true, sample=downloadApp.androidAlt\",\"Get the Shopify app on Google Play\",\"downloadApp.androidUrl\",\"{{site, url(path: '/install |
Scores are computed under method v0.1 — 2026-04-25. See the methodology for the full factor list and per-factor specifications.