GreenLight Learning Center
You know your way around a website. You’re just not a full-time SEO, security, or AdSense specialist — and every tool assumes you are. This is the plain-language version: what each check means, why it matters, and the exact fix. We skip the basics and explain the things that quietly trip you up. Run a scan, then click “Learn more” on any finding to land here.
The two problems you can’t see
If you know the difference between http and https, GreenLight is built for you. We don’t explain the basics — you already know them. We surface the two kinds of problems you can’t find on your own.
1. The ones you know to ask about, but can’t answer yourself. You’ve heard a site should have a content security policy, or readable contrast, or “enough” content. But is yours right? You know the question; you can’t tell the answer by looking. GreenLight turns “I think it’s okay?” into a clear yes or no — on the exact page and element.
2. The ones you didn’t know to look for. This is the dangerous one, and the reason GreenLight exists. The header you’d never heard of, the trust signal an ad network silently expects, the reason AI engines aren’t citing you, the step you skipped without knowing it was a step. You can’t search for the answer to a question you don’t know to ask. These sit quietly and cost you traffic, approvals, and revenue — and nothing tells you they’re there.
A vague “low value content” rejection is the perfect example: it doesn’t just hide the fix, it hides the question. GreenLight drags both into the light — names each problem in plain words and hands you the exact page, element, and fix.
This maps to a long-standing risk-management idea: “known unknowns” and “unknown unknowns.” We deliberately skip the third category — “known knowns.” If you already know it, you don’t need us to explain it.
Advice vs education (the YMYL line)
YMYL stands for “Your Money or Your Life” — pages about money, health, safety, or other big decisions. Google and ad networks hold these to a higher bar, because bad information can do real harm. The biggest trap is framing. A page that gives advice (“you should buy gold now,” “guaranteed returns”) is treated as high-risk; the same facts framed as education (“here’s how the gold-silver ratio works, and the factors to weigh”) are low-risk and ad-friendly. The fix is never to delete your expertise — it’s to teach the reader how to decide instead of telling them what to do, and to add a clear “not financial advice” disclaimer. Education is the framing these systems reward; a verdict is the one they reject.
HTTPS — the gaps people miss
Having HTTPS is table stakes; the traps are the gaps around it. Without HSTS, a visitor’s very first request can still be silently downgraded to insecure HTTP before your redirect fires. A single piece of mixed content — one http:// image or script on an otherwise-secure page — quietly breaks the padlock. And if the bare http:// version doesn’t 301-redirect to https://, old links and bookmarks strand people on the insecure copy. Those are the three to actually check — not whether a certificate exists.
HSTS (Strict-Transport-Security)
HSTS is a short instruction your site sends that tells browsers, "always use my secure version, never the insecure one." Without it, a visitor's very first request can be quietly downgraded to insecure HTTP before your redirect kicks in. You switch it on with a single response header. It is "sticky", browsers remember it for a long time, so only turn it on once your HTTPS is rock solid.
Content-Security-Policy (CSP)
A CSP is a rulebook your site hands the browser that says which scripts and resources are allowed to run. It is the main defense against cross-site scripting, where an attacker sneaks their code onto your page. Start it in "report-only" mode so it watches without breaking anything, tune it, then enforce. Allowing 'unsafe-inline' or 'unsafe-eval' weakens it: move inline scripts into files and use a nonce so you can drop those.
X-Content-Type-Options: nosniff
This header stops the browser from "guessing" a file's type. Without it, a file you serve as plain text could be mis-read as a script and run. One header value, nosniff, switches the guessing off.
X-Frame-Options (clickjacking)
This stops another website from loading yours inside a hidden frame to trick your visitors into clicking things they cannot see, a trick called clickjacking. SAMEORIGIN allows only your own site to frame your pages.
Referrer-Policy
This controls how much of your page's address is shared with another site when a visitor clicks a link away from you. strict-origin-when-cross-origin shares only your domain, not the full, possibly private, URL.
Server / X-Powered-By disclosure
These headers can advertise the exact software and version your site runs (for example, "PHP 8.1.2"). That hands an attacker a shopping list of known bugs to try against you. Remove or blank them in your server or app config. A bare CDN name like "cloudflare" with no version is fine, that is reported on purpose.
HTTP to HTTPS redirect
Even with a secure site, the old insecure http:// address usually still works. A permanent (301) redirect automatically sends every http:// visitor and link to the secure https:// version, so no one is left stranded on the insecure one.
Mixed content
Mixed content is when a secure (HTTPS) page loads a piece of itself, an image, script, or stylesheet, over insecure HTTP. Browsers block or warn on it, which can break the page and the padlock. The fix is to change those resource links to https:// (or protocol-relative //).
Secure / HttpOnly cookie flags
These are small flags on the cookies your site sets. Secure keeps a cookie off insecure connections. HttpOnly hides it from JavaScript, so a script bug cannot steal a logged-in session. SameSite limits when the cookie is sent from other sites. Set all three where you can.
Exposed sensitive files
Files like .env, .git, or database backups sometimes end up publicly downloadable by accident. They often contain passwords, API keys, or your source code, enough to fully compromise a site. Block public access to those paths in your server config, and treat any key that was exposed as already compromised, so rotate it.
Title tag
The title tag is the clickable headline that shows in Google results and the browser tab. It is one of the strongest ranking signals and the first thing a searcher reads, so make each page's title unique and about 50-60 characters (longer gets cut off).
Noindex
A noindex tag tells Google "do not list this page in search." It is handy for thank-you or admin pages, but it is often left on by accident after a site goes live, which quietly hides real pages from search.
H1 heading
The H1 is the main on-page heading. It tells Google and screen readers what the page is about. Use exactly one H1 per page, then H2 and H3 for sub-sections.
Meta description
The short summary Google shows under your title in results. It does not directly change ranking, but a clear 140-160 character description gets more clicks. Leave it blank and Google writes its own, usually worse.
Alt text
A short text description of an image, read aloud to blind visitors and shown if the image fails to load. It is the baseline of web accessibility and helps image search. Describe meaningful images; use empty alt (alt="") for purely decorative ones.
Canonical link
A tag that tells search engines "this is the main version of this page." When the same content is reachable at several URLs, the canonical stops them from competing and splitting your ranking.
Mobile viewport
A small tag that tells phones to scale the page to the screen. Without it, your site shows zoomed-out and tiny on mobile, which hurts both visitors and Google's mobile-first ranking.
Page language
The lang attribute on the html tag (for example lang="en") tells browsers and screen readers what language the page is in, so they pronounce it correctly and search engines target the right region.
Thin content
Pages with very little original text. They rank poorly and can trip ad networks' "low value content" filters. Aim for substantive, genuinely useful content rather than a bare heading and an image.
Open Graph
The tags (og:title, og:image, og:description) that control how your link looks when shared on Facebook, LinkedIn, Slack, and messaging apps. Without them, a shared link shows a bare or wrong preview.
Structured data (JSON-LD)
A small block of machine-readable data that tells search engines and AI exactly what a page is (an article, a product, an FAQ, a business) instead of making them guess. It unlocks rich results like star ratings and FAQ drop-downs.
Time To First Byte (TTFB)
How long the server takes to start sending the page after a request. A slow TTFB (over about 1.5 seconds) delays everything after it and drags down Core Web Vitals and ranking. Caching, lighter database queries, and a CDN all help.
Text compression
Shrinking HTML, CSS, and JavaScript before sending them, using gzip or Brotli. It is a one-time server setting that can cut page weight by well over half, most noticeable on mobile.
Heavy HTML
A single page whose HTML is very large (over about 150KB) is slow to download and parse, delaying the first paint. Trim inline content, defer non-critical markup, and paginate very long pages.
Render-blocking scripts
A normal <script> in the page head stops the browser from showing anything until it downloads and runs. Adding async or defer (or moving scripts to the end of the page) lets the page paint first.
Layout shift (CLS)
When images or ads load without reserved space, the page jumps as they appear and visitors mis-click. Setting an image's width and height (or a CSS aspect-ratio) reserves the space and stops the shift. CLS is one of the Core Web Vitals.
Lazy loading
Loading images only as the visitor scrolls near them, rather than all at once. Adding loading="lazy" to below-the-fold images frees bandwidth for what is actually on screen, speeding the first paint.
Accessible name
The text a screen reader or voice control announces for a control. A button with only an icon and no text or aria-label is silent to those users. An aria-label gives it a name.
Form label
A visible label connected to an input so screen-reader users know what to type. Connect them with the for and id attributes (or wrap the input in the label). A placeholder alone is not a label.
Main landmark
The <main> element marks a page's primary content, letting screen-reader and keyboard users skip straight past the header and nav to the real content. Every page should have exactly one.
Descriptive link text
Link text should say where it goes. Screen-reader users often pull up a list of just the links, so "click here" and "read more" out of context tell them nothing. "See our pricing" does.
Pinch-to-zoom
Some sites disable zoom with user-scalable=no in the viewport tag. That blocks low-vision visitors who rely on pinching to enlarge text. Remove the zoom block.
Color contrast
The difference in lightness between text and its background, measured as a ratio. WCAG AA wants at least 4.5:1 for normal text (3:1 for large text). Low-contrast text, like light gray on white, is hard to read for low-vision visitors and in bright sunlight. GreenLight computes the ratio straight from your CSS colors (theme variables included); text sitting over an image or gradient still benefits from a human look.
Twitter/X card
A tag that tells X how to show your link: a big image card instead of a plain line. It reuses your Open Graph title and image, so it is one extra line to add.
Share image (og:image)
The preview image shown when your link is shared. It should be a real, public image around 1200x630 pixels. A broken or missing one means shared links show blank, the worst social first impression.
llms.txt
An emerging standard: a plain markdown file at your site root that lists your most important pages with a one-line summary of each, formatted for AI crawlers (ChatGPT, Perplexity) to read quickly. Think of it as a sitemap written for AI.
AI citation bots
The crawlers ChatGPT, Perplexity, and Google AI Overviews use to read and cite your pages (OAI-SearchBot, PerplexityBot, Google-Extended). If your robots.txt blocks them, you stay out of AI answers. Blocking training-only bots like GPTBot is a separate, reasonable choice.
Bingbot
Microsoft's crawler. Bing's index feeds Copilot and parts of ChatGPT and Perplexity, so if bingbot cannot crawl you, you are absent from the index those AI engines read. Allow it in robots.txt.
Bing Webmaster verification
Adding a verification tag proves you own the site so you can use Bing Webmaster Tools: submit sitemaps, watch indexing, and enable IndexNow. Since Bing feeds many AI engines, this is where AI visibility via Bing starts.
Organization schema (sameAs)
JSON-LD that names your business and links its profiles (sameAs to your social and directory pages). It lets search engines and AI tie scattered mentions of you across the web to one clear identity.
FAQ schema (FAQPage)
Structured data that lists question-and-answer pairs in a machine-readable way. AI engines lift those answers directly into responses, so it is one of the highest-value ways to get cited.
Question-style headings
Sub-headings phrased as the questions people actually ask (and type into AI), like "How much does it cost?" instead of "Pricing." Matching the question makes your content easy for AI to quote.
Article interlinking
Linking your articles to other related articles on your site. A connected cluster of guides on a topic signals authority to search and AI; an article that links nowhere reads as a one-off.
HowTo schema
Structured data that marks up step-by-step content as an ordered list of steps. A huge share of AI prompts are "how do I...", and HowTo lets the engine reproduce your steps as a clean numbered answer.
Privacy policy
A page describing what data your site collects, how cookies and ads use it, and how to contact you. AdSense requires one, and a missing privacy policy is among the most common rejection reasons. Free generators can draft a starting point.
About & Contact pages
AdSense reviewers look for an About page (who runs the site and why) and a Contact page (a form or email) as basic trust and identity signals. Add both and link them in your nav or footer.
ads.txt
A small text file at your site root that authorizes who may sell your ad space. AdSense needs it to contain your real publisher id (pub-...). A missing file, or a "PENDING" placeholder, blocks ads from serving.
Google crawlability
AdSense can only approve pages Google can read. A site-wide Disallow: / in robots.txt for the catch-all (or Googlebot) group blocks the whole site from Google. A Disallow aimed only at AI-scraper bots is fine.
Author and E-E-A-T
E-E-A-T is Google's shorthand for Experience, Expertise, Authoritativeness, and Trust. For articles, that starts with a named human author (a Person byline in schema plus an author page), not an anonymous Organization. It is a repeat rejection reason for money and health content.