Technical SEO Audit Checklist: 100-Point Guide

A technical SEO audit is not about meta tags and keyword density — it is a systematic engineering review of how well your site communicates with search engines. Crawlability, indexation, Core Web Vitals, structured data, canonicalization, and international signals all affect where you rank before a single piece of content is evaluated. In 2026, with AI-powered search engines and AEO (Answer Engine Optimization) becoming as important as traditional SEO, the technical foundation matters more than ever.

This 100-point checklist is organized by category. Work through it systematically and track findings in a spreadsheet. Fix critical items (marked C) before any other optimization work — they can prevent the rest from having any effect.

Key Takeaways

• Crawlability is the first gate — if Googlebot cannot reach your pages, nothing else matters
• Core Web Vitals (LCP, INP, CLS) are confirmed ranking signals; target LCP < 2.5s, INP < 200ms, CLS < 0.1
• Canonical tags prevent duplicate content dilution — every page needs one pointing to itself
• hreflang is mandatory for multilingual sites; x-default must be set for each URL group
• Structured data (JSON-LD) enables rich results and is critical for AI/LLM source attribution
• HTTPS is table stakes in 2026; mixed content blocks indexation of affected pages
• Mobile-first indexing means your mobile experience is what Google evaluates
• Internal linking with descriptive anchor text distributes PageRank and signals topic relevance

---

Section 1: Crawlability and Indexation (C = Critical)

robots.txt

• (C) robots.txt is accessible at /robots.txt and returns 200
• (C) Sitemap URL declared: Sitemap: https://example.com/sitemap.xml
• Key pages are not accidentally blocked by Disallow
• Separate crawl-rate directives for aggressive bots
• AI crawlers explicitly allowed or disallowed per policy (GPTBot, ClaudeBot, OAI-SearchBot)

User-agent: *
Allow: /
Disallow: /admin/
Disallow: /api/
Disallow: /auth/
Sitemap: https://ecosire.com/sitemap.xml

# Allow AI indexers
User-agent: GPTBot
Allow: /
User-agent: ClaudeBot
Allow: /

XML Sitemap

• (C) Sitemap returns 200 with correct Content-Type: application/xml
• (C) All canonical URLs included; no URLs blocked by robots.txt or noindex
• <lastmod> dates are accurate (not all the same static date)
• <priority> and <changefreq> set appropriately by page type
• Sitemap split into index + sub-sitemaps for sites with 50,000+ URLs
• Sitemap submitted to Google Search Console and Bing Webmaster Tools
• Image sitemap included for image-heavy pages
• Alternate language URLs in sitemap (hreflang)

// Next.js sitemap.ts — programmatic with correct lastmod
export default async function sitemap(): Promise<MetadataRoute.Sitemap> {
  const posts = await getAllBlogPosts();
  return [
    {
      url: 'https://ecosire.com',
      lastModified: new Date(),
      changeFrequency: 'daily',
      priority: 1.0,
    },
    ...posts.map((post) => ({
      url: `https://ecosire.com/blog/${post.slug}`,
      lastModified: new Date(post.updatedAt),
      changeFrequency: 'weekly' as const,
      priority: 0.8,
    })),
  ];
}

Crawl Budget

• Pagination pages use rel="next" / rel="prev" (or infinite scroll with SSR)
• Faceted navigation URLs are either canonicalized or noindex'd
• Session IDs and tracking parameters excluded from indexed URLs
• Redirect chains limited to one hop (A to B, not A to B to C)
• No soft 404s — 404 pages return HTTP 404, not 200

---

Section 2: HTTPS and Security

• (C) All pages served over HTTPS with valid certificate
• (C) HTTP redirects to HTTPS (301, not 302)
• (C) No mixed content warnings (HTTP resources on HTTPS pages)
• HSTS enabled with max-age=31536000; includeSubDomains; preload
• SSL certificate has 90+ days remaining
• Certificate covers www and non-www variants
• Certificate chain complete (no intermediate CA missing)

# Nginx HTTPS configuration
server {
    listen 443 ssl http2;
    server_name ecosire.com;

    ssl_certificate     /etc/letsencrypt/live/ecosire.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ecosire.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

---

Section 3: Core Web Vitals

Largest Contentful Paint (LCP) — Target: under 2.5s

• (C) LCP element identified in CrUX/PageSpeed Insights
• Hero image/video preloaded with <link rel="preload" as="image">
• LCP image served with correct fetchpriority="high" attribute
• Images in WebP or AVIF format, not PNG/JPEG where possible
• Images sized appropriately (no 4000px image displayed at 800px)
• CDN serving static assets with edge caching
• Server TTFB under 800ms (reduces LCP window)

// Next.js: priority prop preloads the hero image
<Image
  src="/hero.webp"
  alt="Hero image"
  width={1200}
  height={630}
  priority
  sizes="100vw"
/>

Interaction to Next Paint (INP) — Target: under 200ms

• Long tasks (over 50ms) identified and broken up
• Heavy JavaScript deferred or lazy-loaded
• Event handlers are efficient and not causing layout recalculations
• Third-party scripts loaded with async or defer

Cumulative Layout Shift (CLS) — Target: under 0.1

• (C) All images and video have explicit width and height attributes
• Web fonts use font-display: optional or swap with size-adjust fallback
• Ad slots have reserved dimensions
• Dynamically injected content above the fold avoided
• Animations use transform and opacity only (not top, left, width)

---

Section 4: URL Structure and Canonicalization

• (C) Every page has a self-referencing canonical tag
• (C) Canonical tag URL matches the actual served URL (trailing slash consistent)
• www and non-www redirect to the canonical version
• URLs are lowercase, hyphens as word separators, no underscores
• URL depth at most 4 levels from the root for important pages
• No URL parameters that create duplicate content without canonicalization
• Paginated series canonicalize to the first page (or each page self-canonical)

// Next.js generateMetadata with canonical
export async function generateMetadata({ params }: Props): Promise<Metadata> {
  const { locale, slug } = await params;
  const base = locale === 'en' ? '' : `/${locale}`;
  const canonicalUrl = `https://ecosire.com${base}/blog/${slug}`;

  return {
    alternates: {
      canonical: canonicalUrl,
      languages: buildHreflangUrls(slug), // all 11 locales
    },
  };
}

---

Section 5: Metadata and On-Page SEO

• (C) Every page has a unique <title> tag (50-60 characters)
• (C) Every page has a unique <meta name="description"> (150-160 characters)
• Titles follow the pattern: Primary Keyword | Brand Name
• No duplicate title tags across the site
• Open Graph tags: og:title, og:description, og:image, og:url, og:type
• Twitter/X card tags: twitter:card, twitter:title, twitter:image
• OG images are 1200x630px, under 8MB, served from CDN
• <meta name="robots"> only used to restrict (not redundant index,follow)
• <html lang="en"> set correctly for all pages

---

Section 6: Structured Data (JSON-LD)

• (C) JSON-LD preferred over Microdata/RDFa (easier to maintain, parser-friendly)
• Organization schema on homepage with sameAs social profile URLs
• WebSite schema with SearchAction for sitelinks search box
• BreadcrumbList schema on all pages below the homepage
• Article schema on blog posts with datePublished, dateModified, author
• FAQPage schema on pages with FAQ sections
• Product schema on product pages with offers, aggregateRating
• Service schema on service pages with areaServed, serviceType
• inLanguage property on all schemas for multilingual AI attribution
• Structured data validated in Google's Rich Results Test

// JSON-LD with XSS protection
// The .replace() encodes the less-than sign to prevent </script> breakout,
// making this safe for use in a script tag (no untrusted HTML rendered)
export function JsonLd({ data }: { data: Record<string, unknown> }) {
  const safeJson = JSON.stringify(data).replace(/</g, '\\u003c');

  return (
    <script
      type="application/ld+json"
      // Safe: safeJson is a sanitized JSON string, not HTML
      dangerouslySetInnerHTML={{ __html: safeJson }}
    />
  );
}

// Usage
const schema = {
  '@context': 'https://schema.org',
  '@type': 'FAQPage',
  inLanguage: locale,
  mainEntity: faqs.map((faq) => ({
    '@type': 'Question',
    name: faq.question,
    acceptedAnswer: { '@type': 'Answer', text: faq.answer },
  })),
};

<JsonLd data={schema} />

---

Section 7: International SEO

• (C) hreflang tags on all pages with language variants
• (C) x-default hreflang set for each URL group
• hreflang attributes are bidirectional (if /en/ links to /fr/, /fr/ must link back to /en/)
• Locale URLs use ISO 639-1 language codes + ISO 3166-1 region codes where needed
• <html lang="xx"> matches the hreflang locale for that page
• RTL languages (Arabic, Hebrew, Urdu) use dir="rtl" on <html>
• Content is translated, not just auto-translated without review
• Geo-targeting set in Google Search Console per locale subdirectory

// Next.js hreflang via generateMetadata
const locales = ['en', 'zh', 'es', 'ar', 'pt', 'fr', 'de', 'ja', 'tr', 'hi', 'ur'];

// In generateMetadata:
// alternates.languages keys must be BCP 47 language tags
alternates: {
  languages: Object.fromEntries([
    ['x-default', `https://ecosire.com/blog/${slug}`],
    ['en',        `https://ecosire.com/blog/${slug}`],
    ['zh',        `https://ecosire.com/zh/blog/${slug}`],
    ['ar',        `https://ecosire.com/ar/blog/${slug}`],
    // ... all 11 locales
  ]),
},

---

Section 8: Performance and Infrastructure

• Static assets served from CDN (CloudFront, Cloudflare, Fastly)
• Browser caching: Cache-Control: public, max-age=31536000, immutable for hashed assets
• Gzip or Brotli compression enabled on the server
• HTTP/2 or HTTP/3 enabled
• DNS TTL 3600s or less for agile failover
• Server response time under 200ms for HTML (measure TTFB)
• JavaScript bundle under 250KB initial load (gzipped)
• Unused JavaScript eliminated (tree-shaking, code splitting)
• CSS purged of unused rules in production

# Nginx compression + caching headers
gzip on;
gzip_types text/html text/css application/javascript application/json image/svg+xml;
gzip_min_length 1024;

location /_next/static/ {
    expires max;
    add_header Cache-Control "public, max-age=31536000, immutable";
}

---

Section 9: Mobile and User Experience

• (C) Viewport meta tag: <meta name="viewport" content="width=device-width, initial-scale=1">
• All interactive elements have touch targets at least 48x48px
• No horizontal scrolling on mobile (max-width: 100vw)
• Font size at least 16px for body text (prevents iOS auto-zoom on input focus)
• Mobile navigation tested on real devices (iOS Safari, Chrome Android)
• Pop-ups and interstitials do not cover main content on mobile
• Tap-to-call on phone numbers for mobile visitors

---

Section 10: AEO (Answer Engine Optimization)

Increasingly important for AI search engines and voice assistants:

• Key answers wrapped in data-speakable attribute
• <details>/<summary> used for collapsible FAQ content (crawlable, semantic)
• /llms.txt and /.well-known/llms.txt published for AI crawlers
• Concise, factual answer paragraphs at the top of key sections (featured snippet optimization)
• Entity relationships clear in structured data (Organization to Services to Products)
• Brand name consistent across all pages, social profiles, and directories
• IndexNow API used for instant URL submission after publishing new content

---

Frequently Asked Questions

How often should I run a technical SEO audit?

Run a full audit quarterly and a lightweight crawl (Screaming Frog or Sitebulb) monthly. Any significant site change — new tech stack, migration, adding international content, major redesign — warrants an immediate audit. Set up continuous monitoring via Google Search Console alerts for sudden drops in indexed pages or crawl errors.

What tools do I need for a technical SEO audit?

At minimum: Google Search Console (free, canonical), Screaming Frog or Sitebulb (crawl analysis), PageSpeed Insights (Core Web Vitals), Google Rich Results Test (structured data), WebAIM Contrast Checker (accessibility/UX), and Ahrefs or Semrush (backlinks, keyword ranking). For JavaScript-heavy sites, add Rendertron or Botify for rendered crawling.

What is the most common critical SEO issue found in audits?

Canonical tag misconfigurations are the most common critical finding — either missing entirely, pointing to the wrong URL (often a dev or staging domain left in production), or inconsistent with trailing slash usage. The second most common is accidental noindex directives from CMS plugins or staging configurations left in production builds.

Does Next.js App Router help with technical SEO?

Yes, significantly. Server-side rendering means all content is in the initial HTML response (no JavaScript required for crawling). generateMetadata() per-page metadata prevents global static metadata mistakes. The sitemap.ts and robots.ts conventions make those files easy to maintain programmatically. The built-in Image component enforces width and height for CLS prevention and automatically generates WebP/AVIF variants.

How do I handle SEO for paginated content?

For paginated blog archives or product listings, each page should have a self-referencing canonical (not canonical to page 1), a descriptive title indicating the page number, and if the content is substantial, allow indexation. For thin paginated pages, consider noindex on pages beyond page 3. Google deprecated rel="next"/rel="prev" in 2019, but it is still used by other search engines.

---

Next Steps

A technical SEO audit is a one-time investment that multiplies the ROI of all your content and marketing work. The 100 points in this checklist cover the full scope of what search engines evaluate before they rank your content.

ECOSIRE implements technical SEO best practices as a standard part of every Next.js project — from programmatic sitemaps and hreflang for 11 locales to structured data, Core Web Vitals optimization, and IndexNow API integration. Explore our web development services to learn how we build for search visibility from day one.