How AI-built sites typically score on Site Check — and what to do about it

We’ve now scanned a lot of AI-built sites — Lovable, v0, Bolt, Cursor-shipped Next.js, plain Vercel deploys, Replit-deployed apps. The patterns are consistent enough to be useful.

What they almost always pass

• HTTPS / TLS — every modern hosting platform issues a valid cert by default. TLS 1.3, A grade, ample expiry.
• HTTPS everywhere — same reason. Vercel, Netlify, Cloudflare Pages all force HTTPS.
• No mixed content — modern frameworks discourage http:// URLs at build time.
• Cookie flags — Next.js and similar set Secure + HttpOnly + SameSite by default for session cookies.

If you’re on a modern PaaS, you can essentially ignore these — they’re handled.

What they almost always fail

Security headers (CSP, HSTS, Permissions-Policy)

The default Next.js / Remix / SvelteKit ship doesn’t set these. Most AI-built sites have 0 or 1 of the 6 we check. That’s a free 20-point security gain — every header is one line of config in vercel.json or netlify.toml or next.config.js.

DNS hygiene (SPF, DMARC, CAA)

If you bought a domain and pointed it at Vercel, you have zero email DNS records. Anyone can spoof emails from your domain. Five minutes in your DNS provider; we have a fix-prompt template that gives Cursor / Claude exactly the records to add.

Tracker count

AI-built sites pull in 5–15 third-party scripts by default — analytics, error tracking, A/B test framework, support widget. Each one is a privacy hop and a CSP exception. Audit and prune.

security.txt

Almost nobody has one. Two-minute fix; lets researchers report issues without going through a help desk.

The three changes that move the score most

If you’re trying to get from a 60 to an 85 in an afternoon:

1. Set the 6 security headers at the edge (Vercel vercel.json, Cloudflare Transform Rules, Netlify _headers). Single config block. +15–20 points.
2. Add SPF + DMARC + CAA at your DNS provider. Three TXT records. +5–10 points.
3. Publish /.well-known/security.txt with a contact email + ISO expiry. Trivial. +3–5 points.

Total time: under an hour. Total point gain: typically 25–35.

How to actually do it

When Site Check finds a missing header or DNS record, click “Copy fix prompt for your AI tool” on the row. The prompt includes:

• The specific finding
• Your detected stack (Vercel, Netlify, Cloudflare Pages, etc.)
• The exact change needed
• A reminder to whitelist contexta.uk so the re-test isn’t blocked

Paste into Cursor / Claude / Lovable, ship the change, click “Re-test — £10” to verify. The £10 retest is a discount on a re-run after a fix, so you can chain fix-cycles cheaply.

The bigger picture

AI-built sites are easier to get to a 60-score baseline than ever. Getting from 60 to 90 is the same work it always was — just done in 30 minutes per finding instead of 30 minutes per bug-bash with a developer.

For category-specific patterns, General Community board.