seo audit

Author: dani-polani

.vscode/settings.json

@@ -0,0 +1,11 @@
+{
+    "workbench.colorCustomizations": {
+        "statusBar.background": "#3b82f6",
+        "statusBar.foreground": "#e7e7e7",
+        "statusBarItem.hoverBackground": "#6ca1f8",
+        "statusBarItem.remoteBackground": "#3b82f6",
+        "statusBarItem.remoteForeground": "#e7e7e7",
+        "tab.activeBorder": "#6ca1f8"
+    },
+    "peacock.color": "#3b82f6"
+}

Dockerfile

@@ -20,6 +20,7 @@ ENV NODE_ENV=production
 
 # adapter-node: HOST defaults to 0.0.0.0; Railway sets PORT.
 COPY --from=builder /app/build ./build
+COPY --from=builder /app/server.js ./server.js
 COPY --from=builder /app/package.json ./package.json
 COPY --from=builder /app/node_modules ./node_modules
 
@@ -28,4 +29,5 @@ USER node
 
 EXPOSE 3000
 
-CMD ["node", "build"]
+# Custom server wraps adapter-node's handler to add security headers to every response.
+CMD ["node", "server.js"]

bitext/server.js

@@ -0,0 +1,45 @@
+// Production server: wraps adapter-node's request handler so baseline security headers
+// are added to EVERY response — including prerendered pages and static assets, which the
+// SvelteKit `handle` hook does not cover. Run via `node server.js` (see Dockerfile).
+import http from 'node:http';
+import process from 'node:process';
+import { handler } from './build/handler.js';
+
+const host = process.env.HOST || '0.0.0.0';
+const port = Number(process.env.PORT || 3000);
+const shutdownTimeout = Number(process.env.SHUTDOWN_TIMEOUT || 30) * 1000;
+
+// HSTS is safe because the site is HTTPS-only (Railway terminates TLS, redirects HTTP).
+// No CSP yet: the app loads Google Fonts, GA, Tally, and a DigitalOcean CDN, so a correct
+// policy needs its own change.
+const SECURITY_HEADERS = {
+	'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+	'X-Content-Type-Options': 'nosniff',
+	'X-Frame-Options': 'SAMEORIGIN',
+	'Referrer-Policy': 'strict-origin-when-cross-origin',
+	'Permissions-Policy': 'camera=(), microphone=(), geolocation=()'
+};
+
+const server = http.createServer((req, res) => {
+	// Set before the handler writes; merged into the final response headers.
+	for (const [name, value] of Object.entries(SECURITY_HEADERS)) {
+		res.setHeader(name, value);
+	}
+	handler(req, res, () => {
+		res.statusCode = 404;
+		res.end('Not Found');
+	});
+});
+
+server.listen(port, host, () => {
+	console.log(`Listening on http://${host}:${port}`);
+});
+
+function gracefulShutdown() {
+	server.closeIdleConnections?.();
+	server.close(() => process.exit(0));
+	setTimeout(() => process.exit(0), shutdownTimeout).unref();
+}
+
+process.on('SIGTERM', gracefulShutdown);
+process.on('SIGINT', gracefulShutdown);

bitext/src/lib/brand.ts

@@ -7,6 +7,10 @@ export const ALIGNER_SITE_HOST = 'aligner.tinygods.dev';
 /** Public contact for privacy, about, and similar pages. */
 export const SITE_CONTACT_EMAIL = 'dani@tinygods.dev';
 
+/** Creator attribution (footer, structured data). */
+export const SITE_AUTHOR_NAME = 'Dani Polani';
+export const SITE_AUTHOR_URL = 'https://danipolani.github.io/en/';
+
 /** User-facing product name in copy (legal/site title may differ). */
 export const ALIGNER_DISPLAY_NAME = 'Aligner';
 

bitext/src/lib/components/seo/JsonLd.svelte

@@ -1,16 +1,66 @@
 <script lang="ts">
+	import {
+		ALIGNER_SITE_URL,
+		SITE_AUTHOR_NAME,
+		SITE_AUTHOR_URL,
+		SITE_CONTACT_EMAIL
+	} from '$lib/brand.js';
+	import { SITE_NAME, DEFAULT_DESCRIPTION } from '$lib/seo/metadata.js';
+
 	/**
-	 * FAQPage JSON-LD for the visible FAQ block in `SeoSections.svelte`.
+	 * Homepage structured data: WebSite, WebApplication, and FAQPage.
 	 *
-	 * The `SoftwareApplication` schema used to live here too, but Google's docs require a real
-	 * `aggregateRating` or `review` on that type — with no legitimate review data we were shipping
-	 * invalid markup that Google ignores. We will add it back when there is something to rate.
+	 * WebApplication intentionally omits `aggregateRating`/`offers.review`. Google's *rich result*
+	 * for software needs a real rating, which we do not have, so this will not produce a rich
+	 * result — but the markup is valid and helps search engines and LLMs identify what the tool is
+	 * (entity resolution, AI Overviews/ChatGPT/Perplexity citation). Add a rating block here only
+	 * when there is legitimate review data.
 	 *
 	 * FAQ rich results are effectively restricted to well-known health/government sites since 2023
-	 * (https://developers.google.com/search/blog/2023/08/howto-faq-changes) so this markup is kept
-	 * mainly for semantic coverage and ordinary snippet quality. The answer text here mirrors the
-	 * visible FAQ copy on the page, which Google requires for any FAQPage markup.
+	 * (https://developers.google.com/search/blog/2023/08/howto-faq-changes) so the FAQPage block is
+	 * kept mainly for semantic coverage and AI citation. The answer text mirrors the visible FAQ
+	 * copy on the page, which Google requires for any FAQPage markup.
 	 */
+	const creator = {
+		'@type': 'Person',
+		name: SITE_AUTHOR_NAME,
+		url: SITE_AUTHOR_URL,
+		email: SITE_CONTACT_EMAIL
+	};
+
+	const website = {
+		'@context': 'https://schema.org',
+		'@type': 'WebSite',
+		name: SITE_NAME,
+		url: ALIGNER_SITE_URL + '/',
+		description: DEFAULT_DESCRIPTION,
+		inLanguage: 'en',
+		publisher: creator
+	};
+
+	const webApplication = {
+		'@context': 'https://schema.org',
+		'@type': 'WebApplication',
+		name: SITE_NAME,
+		url: ALIGNER_SITE_URL + '/',
+		description: DEFAULT_DESCRIPTION,
+		applicationCategory: 'EducationalApplication',
+		operatingSystem: 'Any',
+		browserRequirements: 'Requires a modern web browser with JavaScript enabled',
+		offers: { '@type': 'Offer', price: '0', priceCurrency: 'USD' },
+		featureList: [
+			'Word-by-word translation visualization',
+			'Interlinear gloss support',
+			'IPA tier support',
+			'Right-to-left script support (Hebrew, Arabic)',
+			'Export to PNG, SVG, PDF, and HTML',
+			'Shareable URLs',
+			'Free REST API'
+		],
+		inLanguage: 'en',
+		creator
+	};
+
 	const faq = {
 		'@context': 'https://schema.org',
 		'@type': 'FAQPage',
@@ -71,5 +121,7 @@
 <!-- JSON-LD is trusted (serialized from app constants); @html avoids nested script parsing issues -->
 <!-- eslint-disable svelte/no-at-html-tags -->
 <svelte:head>
+	{@html safeJsonLd(website)}
+	{@html safeJsonLd(webApplication)}
 	{@html safeJsonLd(faq)}
 </svelte:head>

bitext/src/lib/seo/metadata.ts

@@ -1,11 +1,19 @@
 export const SITE_NAME = 'Word Aligner';
 
+/**
+ * Last meaningful content update, used for `<lastmod>` in the sitemap. Google reads lastmod as a
+ * crawl-scheduling hint, so keep this honest — bump it when page copy or examples change, not on
+ * every deploy. A single accurate date is better than a fabricated per-deploy timestamp.
+ */
+export const SITE_LASTMOD = '2026-06-24';
+
 /**
  * Title and description favor colloquial, user-first phrasing while keeping the formal category
  * term ("word-by-word translation visualizer") so the page still matches exact-intent searches.
  * Audience signals (learners, teachers, conlang posts) help Google pair the page with relevant
  * long-tail queries without spamming keywords.
  */
 export const DEFAULT_TITLE = 'Word-by-word translation visualizer — see which words match';
+/** Kept ≤160 chars so Google does not truncate the SERP snippet. */
 export const DEFAULT_DESCRIPTION =
-	'Word Aligner: free word-by-word translation visualizer. Stack multiple lines, link adjacent rows in the preview, optional gloss/IPA lines, exports (PNG, SVG, PDF, HTML), and shareable URLs. For learners, teachers, linguists, and conlang posts.';
+	'Free word-by-word translation visualizer. Stack lines, add gloss/IPA, draw connectors, then export PNG, SVG, or PDF. For learners, teachers, and linguists.';

bitext/src/routes/+layout.svelte

@@ -4,6 +4,7 @@
 	import '../app.css';
 	import { registerAffiliateLinkClickTracking } from '$lib/analytics/affiliate-link-tracking.js';
 	import { GA_MEASUREMENT_ID } from '$lib/brand.js';
+	import { SITE_NAME } from '$lib/seo/metadata.js';
 	import { flowbiteTheme } from '$lib/flowbite-theme.js';
 	import { settingsStore } from '$lib/state/settings.svelte.js';
 	import { viewportStore } from '$lib/state/viewport.svelte.js';
@@ -43,6 +44,7 @@
 </script>
 
 <svelte:head>
+	<meta property="og:site_name" content={SITE_NAME} />
 	<meta name="impact-site-verification" value="a52264b4-df2c-48b2-90cb-a4c5e81c208b" />
 	<link rel="icon" href="/favicon.ico" sizes="any" />
 	<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />

bitext/src/routes/api/og/+server.ts

@@ -29,7 +29,9 @@ export const GET: RequestHandler = async ({ url }) => {
 		headers: {
 			'Content-Type': 'image/png',
 			'Content-Length': String(buffer.length),
-			'Cache-Control': 'public, max-age=3600'
+			'Cache-Control': 'public, max-age=3600',
+			// Generated social-card image, not a document — keep it out of the index.
+			'X-Robots-Tag': 'noindex'
 		}
 	});
 };

bitext/src/routes/sitemap.xml/+server.ts

@@ -1,20 +1,21 @@
 import type { RequestHandler } from '@sveltejs/kit';
 import { GALLERY_EXAMPLES } from '$lib/examples/catalog.js';
+import { SITE_LASTMOD } from '$lib/seo/metadata.js';
 
+// `changefreq`/`priority` are omitted on purpose — Google ignores both. Only `loc` and `lastmod`
+// carry weight.
 export const GET: RequestHandler = ({ url }) => {
 	const base = url.origin;
-	const exampleUrls = GALLERY_EXAMPLES.map(
-		(e) =>
-			`  <url><loc>${base}/examples/${e.slug}</loc><changefreq>monthly</changefreq><priority>0.7</priority></url>`
-	).join('\n');
+	const entry = (loc: string) => `  <url><loc>${loc}</loc><lastmod>${SITE_LASTMOD}</lastmod></url>`;
+	const exampleUrls = GALLERY_EXAMPLES.map((e) => entry(`${base}/examples/${e.slug}`)).join('\n');
 	const body = `<?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
-  <url><loc>${base}/</loc><changefreq>weekly</changefreq><priority>1</priority></url>
-  <url><loc>${base}/examples</loc><changefreq>weekly</changefreq><priority>0.8</priority></url>
+${entry(`${base}/`)}
+${entry(`${base}/examples`)}
 ${exampleUrls}
-  <url><loc>${base}/about</loc><changefreq>monthly</changefreq><priority>0.6</priority></url>
-  <url><loc>${base}/api</loc><changefreq>monthly</changefreq><priority>0.4</priority></url>
-  <url><loc>${base}/privacy</loc><changefreq>yearly</changefreq><priority>0.3</priority></url>
+${entry(`${base}/about`)}
+${entry(`${base}/api`)}
+${entry(`${base}/privacy`)}
 </urlset>`;
 	return new Response(body, {
 		headers: {

bitext/static/llms.txt

@@ -0,0 +1,23 @@
+# Word Aligner
+
+> Free, browser-based tool for visualizing word-by-word translation alignment and interlinear glosses. Stack multiple lines of text, draw connectors between matching words or morphemes, add IPA and gloss tiers, support right-to-left scripts, and export to PNG, SVG, PDF, or HTML. Everything runs client-side; sentences are never stored unless the user chooses to share them. A free, no-auth REST API is available.
+
+Built for language learners, language teachers, linguists, and conlangers. Created by Dani Polani (dani@tinygods.dev).
+
+## Core pages
+- [Word Aligner app](https://aligner.tinygods.dev/): The interactive editor — type or paste stacked lines, click a word and its match on the adjacent line to draw a connector, then export or share.
+- [About](https://aligner.tinygods.dev/about): What the tool does, the line editor, settings, export and share options, and privacy approach.
+- [API](https://aligner.tinygods.dev/api): Free REST API. POST text lines and optional alignment pairs to get a shareable URL; GET to pre-fill the editor. No authentication.
+- [Examples](https://aligner.tinygods.dev/examples): Gallery of word alignment and interlinear gloss examples across many languages.
+
+## Example walkthroughs
+- [English and French word alignment](https://aligner.tinygods.dev/examples/english-french-word-alignment): Simple bilingual one-to-one and one-to-many word matches.
+- [Turkish interlinear gloss with IPA](https://aligner.tinygods.dev/examples/turkish-interlinear-gloss-ipa): Four-line interlinear layout — morpheme glosses, IPA, source text, translation.
+- [Hebrew and Arabic with English (RTL)](https://aligner.tinygods.dev/examples/hebrew-arabic-english-rtl): Right-to-left scripts, bound vs free prepositions, crossing links.
+- [Japanese, Chinese, and English word order](https://aligner.tinygods.dev/examples/japanese-chinese-english-word-order): SOV vs SVO word order with crossing connectors across three lines.
+- [Classical Nahuatl interlinear gloss](https://aligner.tinygods.dev/examples/classical-nahuatl-interlinear-gloss): Polysynthetic verb morphology in an interlinear layout.
+- [Lezgian morpheme gloss](https://aligner.tinygods.dev/examples/lezgian-morpheme-gloss): Morpheme-by-morpheme glossing of a low-resource language.
+- [Lojban sumti interlinear gloss](https://aligner.tinygods.dev/examples/lojban-sumti-interlinear-gloss): Interlinear gloss of a constructed-language sentence.
+
+## Optional
+- [Privacy policy](https://aligner.tinygods.dev/privacy): Browser-only processing; no server-side storage of user text.