Technical SEO

watchvault.us · Crawlability, indexation, security headers, sitemaps

60/100

Watchvault.us is fully crawlable and fully indexable. Cloudflare sits in front of Shopify but the WAF is not challenging legitimate traffic; all major search and AI bots reach the origin. Sitemap structure is clean and split correctly. The score is held back almost entirely by transport-layer security gaps (HSTS too short for preload, HTTP/3 explicitly disabled, Content Security Policy that's a skeleton, three missing best-practice headers) plus a Shopify quirk that makes <lastmod> values worthless for crawl prioritization.

Crawler Accessibility

Verified by direct user-agent fetch. All bots return HTTP 200 with full HTML body.

BotUser-agent fragmentResultNotes
GooglebotGooglebot/2.1200869 KB HTML; full SSR
Bingbotbingbot/2.0200
GPTBotGPTBot/1.0200OpenAI training crawler
ClaudeBotClaudeBot/1.0200Anthropic crawler
PerplexityBotPerplexityBot/1.0200
ChatGPT-UserChatGPT-User/1.0200Live ChatGPT browsing UA
All AI crawlers permitted
No bot-specific blocks in robots.txt; no Cloudflare bot-fight challenges issued during the test crawl.

robots.txt — Standard Shopify Boilerplate

No issues blocking critical content. The full file repeats the same disallow set under User-agent: *, adsbot-google, AhrefsBot, AhrefsSiteAudit, plus partial blocks for MJ12bot, Pinterest, and a full block on Nutch.

Notable disallows
  • /policies/ — suppresses Privacy / Refund / Terms / Shipping policies from indexation. Shopify default; defensible but not optimal for $5k–$25k purchase decisions where buyers Google policies before checkout.
  • /search, /cart, /account, /checkouts/, /56346738754/checkouts blocked — correct.
  • /collections/*sort_by*, +, %2B, %2b permutations blocked — prevents faceted-URL bloat.
  • AhrefsBot + AhrefsSiteAudit explicitly allowed with Crawl-delay: 10.
  • Single sitemap declaration: https://watchvault.us/sitemap.xml (repeated under each UA group).

Sitemaps

Five sub-sitemaps, totalling 1,703 indexable URLs. Shopify's new sitemap_agentic_discovery.xml is published — a forward-looking signal that AI search vendors will prioritise over the next 6–12 months.

Sub-sitemapURLslastmodchangefreqpriority
sitemap_agentic_discovery.xml3030
sitemap_blogs_1.xml1313130
sitemap_collections_1.xml4747470
sitemap_pages_1.xml1111110
sitemap_products_1.xml1,6291,6281,6290
Total indexable1,703
All 1,628 product <lastmod> values are identical
Every product lastmod on this audit date equals the moment the sitemap was fetched (2026-05-10T10:40:24-05:00). Shopify generates these dynamically from the request time, not from the actual product updated_at. The lastmod field is therefore worthless for crawl prioritization on products. This is platform-level behavior; not theme-fixable.
Staging clones in sitemap_pages_1.xml
Both /pages/about-us AND /pages/new-about-us, both /pages/contact-us AND /pages/contact-us-new are listed. The "new" pages have lastmod from May/Nov 2024 — live and indexed for 12–18 months as duplicates. /pages/search-results-page is also listed but is an internal placeholder.

HTTP & Security Headers

Captured from https://watchvault.us/ HEAD response (Safari UA).

HeaderValueVerdict
strict-transport-securitymax-age=7889238~91 days — not preload-eligible
x-frame-optionsDENYOK
x-content-type-optionsnosniffOK
x-xss-protection1; mode=blockDeprecated, harmless
content-security-policyblock-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;Skeleton only
referrer-policy(missing)Missing
permissions-policy(missing)Missing
cross-origin-opener-policy(missing)Missing
cross-origin-resource-policy(missing)Missing
alt-svcclearHTTP/3 explicitly disabled
varyAcceptShould also include Accept-Encoding
nel / report-toconfiguredCloudflare NEL active
powered-byShopifyInformation disclosure (low-risk)
Cookies
All Shopify session/cart/analytics cookies use Secure, SameSite=Lax, and most use HttpOnly. Cookie hygiene is fine.

URL Structure & Canonicalization

  • All URLs are clean: /products/<handle>, /collections/<handle>, /pages/<handle>, /blogs/news/<handle>.
  • No trailing slashes, no index.html, no query-string variants in canonical URLs.
  • Canonical tags present on 100 % of 100 sampled pages, all self-referential.
  • Variant URLs include ?variant=<id>; canonicals point to the non-variant URL.
  • No language/region subdirectories; site is US-only, English-only.
  • No X-Robots-Tag header set on the homepage HTTP response. No <meta name="robots"> directives on sampled pages. Default = indexable.

JavaScript Rendering

All sampled pages render server-side. Title, headings, JSON-LD, meta tags, body content all present in initial HTML response — no JS execution required for indexable content. Shopify section blocks render server-side via Liquid; the Pixel Union "Empire" derivative theme is not a JS-only theme.

SSR confirmed
Verified by Googlebot UA fetch — 869 KB initial HTML body contains all titles, all 100 % of JSON-LD blocks, all visible text, all internal links.

Mobile / Responsive

  • Viewport meta tag present in homepage HTML
  • Pixel Union "Empire" derivative theme is responsive by design
  • Recently-discovered mobile breakpoint issue: .slideshow-slide__image-wrapper position behavior at the 550px breakpoint. Patched and pushed to live theme during this audit session.

Action Items

H10Add HSTS preload, missing security headers, re-enable HTTP/3XS

Why: HSTS max-age ~91 days; preload requires 1 year + includeSubDomains + preload. Missing Referrer-Policy, Permissions-Policy, COOP, CORP. HTTP/3 explicitly disabled (alt-svc: clear).

How — Cloudflare zone:

  1. HSTS to max-age=31536000; includeSubDomains; preload; submit to hstspreload.org after verifying Shopify-checkout subdomain compatibility
  2. Transform Rules for: Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=(), geolocation=(self), interest-cohort=(), Cross-Origin-Opener-Policy: same-origin-allow-popups, Cross-Origin-Resource-Policy: same-site
  3. Network → HTTP/3 with QUIC: ON
  4. Tighten CSP: add default-src, script-src, img-src, style-src directives

Owner: Site admin / DevOps · Acceptance: securityheaders.com grade A+; HSTS preload list status pending → preloaded; alt-svc header includes h3=":443".

M7Search Console + GA4 + CrUX setup verificationM

This audit could not pull field CWV / GSC indexation / GA4 organic. Connect a GCP project with PageSpeed Insights API enabled; configure ~/.claude/skills/seo-audit/scripts/google_auth.py. Verify GSC property is verified for watchvault.us + submit all 5 sub-sitemaps.

Acceptance: Next audit pass returns CrUX p75 LCP/INP/CLS values.

L2Set Vary: Accept, Accept-EncodingXS

Currently only Vary: Accept. Cloudflare Transform Rule.

L3Drop the powered-by: Shopify headerXS

Information disclosure. Cloudflare Transform Rule to strip. Hardening, not a real security fix.

L9Decide policies indexation strategyXS

Currently /policies/* is robots-blocked. Counter-argument: for $5k–$25k purchases, customers Google "[brand] return policy site:watchvault.us" — being indexable would help. Discuss with client.

Cross-references: Bootstrap 3 CDN removal is filed under Performance (C6). Staging-clone unpublish is under Content Quality (C1).