Frequently Asked Questions

AuditAI is a free AI-powered website audit tool that scans any URL or code snippet for SEO issues, security vulnerabilities, performance problems, and compliance gaps (GDPR, CCPA, DPDP India). You get a full report with AI-generated fixes in under 30 seconds — no signup required.

No. You can scan any website completely free without signing up. Create a free account to save your scan history, track improvements over time, and access your personal dashboard.

Any publicly accessible website — SaaS products, e-commerce stores, blogs, portfolios, landing pages, and more. You can also paste raw HTML or code directly into the code audit tool.

Most scans complete in 15–30 seconds. Complex or slow-loading websites may take up to 60 seconds.

Yes — the core audit is completely free with no signup required. Paid plans (from $1.99 one-time or $15/mo) unlock PDF exports, unlimited scans, white-label reports, and more.

AuditAI checks title tags, meta descriptions, heading structure (H1–H6), canonical URLs, Open Graph tags, Twitter card tags, keyword density, internal linking, image alt text, robots meta, sitemap presence, and structured data (JSON-LD). Each issue comes with an AI-generated fix.

AuditAI checks for missing or misconfigured HTTP security headers including Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It also detects client-side API key leaks. The Advanced Security Analysis layer adds Email Security (SPF/DKIM/DMARC/BIMI/MTA-STS/TLS-RPT), DNS Security (DNSSEC/CAA/dangling CNAMEs), AI endpoint exposure, API surface exposure (.env files, Swagger, GraphQL, debug endpoints), and breach intelligence signals.

Advanced Security Analysis is AuditAI's comprehensive deep security layer that runs automatically after the main scan. It covers 6 modules: (1) Email Security — SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, and MX records via DNS-over-HTTPS; (2) DNS Security — DNSSEC, CAA records, nameserver redundancy, SOA validation, and subdomain takeover detection; (3) AI Security — passive detection of AI API endpoint exposure (14 providers), system prompt leakage, and client-side AI SDK usage; (4) API Exposure — active HTTP probing for exposed .env files, .git repositories, Swagger/OpenAPI specs, GraphQL interfaces, and database admin tools; (5) Breach Intelligence — passive compromise signal analysis including defacement markers, injected JS patterns, and suspicious HTTP headers; (6) Secret Detection — 30+ credential patterns covering OpenAI, Anthropic, AWS, Azure, Stripe, GitHub, Slack, Twilio, JWT tokens, database connection strings, and PEM keys. Every finding includes an evidence label, confidence score, and OWASP/CWE/NIST CSF/MITRE ATT&CK standards mapping.

Yes — Advanced Security Analysis checks SPF (with policy analysis — hard fail vs soft fail vs pass-all), DMARC (with policy enforcement level — none/quarantine/reject), DKIM (across 13 common selectors), MX records, BIMI, MTA-STS, and TLS-RPT. These records are checked via Cloudflare DNS-over-HTTPS, so no additional API key or sign-up is required. Results appear in the Advanced Security Analysis section below your main scan results.

Yes. The API Exposure module probes for exposed .env, .env.local, and .env.production files, .git repository metadata, Swagger/OpenAPI specifications, GraphiQL interfaces, phpinfo.php, phpMyAdmin, Adminer, and debug endpoints. The Secret Detection module scans client-side JavaScript for 30+ credential patterns. If found, findings are marked 'Verified' with an HTTP 200 confirmation. Note: AuditAI performs passive scanning only — it never attempts authentication bypass or exploitation.

Yes. AuditAI checks for a visible cookie consent mechanism, privacy policy link, HTTPS enforcement, absence of exposed personal data, and proper data handling signals. It also checks for CCPA and DPDP India compliance indicators.

AuditAI audits Core Web Vitals signals (LCP, CLS, INP), page load indicators, render-blocking resources, image optimisation, unminified CSS/JS, and missing performance headers like Cache-Control.

Yes. AuditAI includes an AI Content Authenticity score that estimates the likelihood of AI-generated text on the page. This is useful for publishers, SEOs, and site owners who want to understand their content profile.

Yes. Switch to Code Audit mode and paste any HTML, JavaScript, or CSS. AuditAI analyses the code directly, which is useful for reviewing changes before deploying them live.

The Code Audit analyses pasted JavaScript, TypeScript, or React code for four categories: Logic Gaps (async functions with no error handling around fetch/API calls), Performance Bloat (heavy libraries like moment.js or lodash, inefficient loop patterns, zombie/dead code), Data Leaks (hardcoded API keys, passwords, or sensitive values in source), and Compliance Signals (localStorage storing PII without consent, geolocation access without permission, forms missing a privacy notice, cookies set without a consent banner). Every finding includes an AI-generated fix prompt.

After each URL scan, AuditAI generates an AI CTO Executive Summary — a plain-English verdict on your site's health written from a technical leadership perspective. It includes the top 3–5 prioritised actions, an estimated fix time, and a content authenticity verdict. The summary is generated using Groq (llama-3.1-8b-instant) with Anthropic Claude as a fallback, and is included in your PDF export.

There are three plans: One-Time Audit ($1.99) for a single session, Pro ($15/mo or $120/yr) for unlimited scans, PDF exports, white-label reports, and scam detection, and Agency ($49/mo or $390/yr) for multi-client management and team features. Indian users are shown live INR pricing at checkout.

Scam detection analyzes websites for phishing, malware, fraudulent payment processors, credential harvesting, and social engineering tactics. It uses threat intelligence APIs (Google Safe Browsing, VirusTotal, URLhaus, PhishTank) combined with heuristic analysis to provide a risk score (0-100) and specific red flags with recommendations.

Scam detection is included in Pro and Agency plans. Free users and Starter plan users cannot access scam detection. Upgrade to Pro to scan unlimited URLs for scams, or Agency for bulk scans of up to 10 URLs at once.

Scam detection combines multiple threat intelligence sources with local heuristic analysis: SSL certificate validation, form detection for payment/login forms, domain reputation checks, payment gateway verification, suspicious content keyword scanning, external link analysis, and design quality assessment. Results are aggregated into a single risk score (0-100) showing the likelihood of the website being a scam.

Yes. AuditAI automatically detects Indian users and shows INR pricing based on the live USD/INR exchange rate. Payments are processed via Razorpay (UPI, cards, net banking, wallets).

Yes. There are no contracts or lock-in periods. Cancel anytime from your dashboard and you will not be charged again.

Yes. We offer a 7-day money-back guarantee on all paid plans. Contact us within 7 days of purchase if you are not satisfied.

For Indian users: UPI, cards, net banking, and wallets via Razorpay. For international users: credit/debit cards and major payment methods via Stripe.

AuditAI stores the URL, overall score, and issue count for analytics and your scan history. The full page content is processed in memory and not stored. You can delete your account and all associated data at any time.

Yes. AuditAI complies with GDPR, CCPA, and DPDP India. We do not sell your data, we collect only what is necessary, and we provide full data deletion on request. Our privacy policy is available at auditai.fyi/privacy.

No. Your scans are never used to train AI models. The AI-generated fix suggestions are produced using third-party APIs (Anthropic Claude) and are not stored or used for model training.

Yes. AuditAI makes read-only HTTP requests to fetch your page — the same thing a browser does. It does not attempt to log in, submit forms, or modify anything on your website.

The Trust Badge is a publicly verifiable certificate showing that your website passed an AuditAI audit with a score of 80 or above. It includes a live verification page at auditai.fyi/verify/[id] showing your scores across SEO, security, and performance.

Run a free audit at auditai.fyi/audit. If your site scores 80 or above, you will automatically receive a Trust Badge. The badge links to a public verification certificate at auditai.fyi/verify/[id] where visitors can see your live SEO, security, and performance scores.

Trust Badges are valid for 90 days from the date of issue. Re-run your audit to renew the badge and show visitors your latest score.

Yes. AuditAI's free website security audit checks 13+ HTTP security headers including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy. You get a security score with AI-generated fixes — no login required.

Yes — AuditAI is one of the only free compliance checker tools that covers all three frameworks in a single website audit: GDPR (EU), CCPA (California), and India's DPDP Act. It checks cookie consent banners, privacy policy links, HTTPS enforcement, and third-party data exposure risks. No email address or signup required to get results.

Yes. Every scan measures Largest Contentful Paint (LCP), Cumulative Layout Shift (CLS), and Interaction to Next Paint (INP) — Google's Core Web Vitals metrics. AuditAI shows whether your LCP score, CLS score, and INP score pass or fail Google's recommended thresholds and provides AI-generated suggestions to improve each metric.

AuditAI is one of the only free tools combining SEO audit, security header check, Core Web Vitals measurement, and GDPR/CCPA/DPDP compliance in a single scan — no account needed. Most tools only cover one aspect. AuditAI gives you a complete website health report in under 30 seconds.

Run a free website audit at auditai.fyi — no login required. AuditAI scans your site for a visible cookie consent mechanism, privacy policy link, HTTPS enforcement, absence of exposed PII, and proper handling of third-party scripts. You get a compliance pass/fail with specific fixes in under 30 seconds.

AuditAI (auditai.fyi) offers a completely free website audit — no login, no email, no credit card. You get SEO analysis, security header checks, Core Web Vitals (LCP, CLS, INP), and GDPR/CCPA/DPDP compliance in one scan with AI-generated fixes. It's one of the few free tools that combines all four audit types.

Some websites block automated requests via robots.txt, Cloudflare challenges, or IP restrictions. AuditAI respects robots.txt and cannot bypass bot protection. If your site is behind a login wall or a CDN that blocks crawlers, the scan may fail.

AuditAI fetches the initial HTML response, so for SPAs (React, Vue, Angular) that render content client-side, it analyses the server-rendered HTML. If your SPA uses SSR or SSG, results will be accurate. Pure client-rendered SPAs with no pre-rendered content will show limited SEO data.

Yes. API access is available on the Agency plan. You can generate API keys from your dashboard to integrate AuditAI scans into your own tools, workflows, and client reports.

Guest users (no account) can run 6 scans per hour. Free account users can run 10 scans per hour. Pro and Agency users have unlimited scans.

The number of pages scanned per audit depends on your plan. Free (no account): 1 page (the URL you enter). Starter: up to 5 pages via sitemap discovery. Pro: up to 25 pages. Agency: up to 50 pages. Additional pages are discovered automatically from the site's sitemap and crawled in the same audit run, giving you a site-wide health score rather than a single-page snapshot.