How we score launches

Every score on StackScope is computed from publicly observable signals. We analyse HTTP headers, rendered page content, DNS records, TLS certificates, and well-known files. Nothing is subjective. Scores are deterministic and reproducible.

StackScope Score (0-10)

Our headline score. A single number that captures how well a site is built, based on five weighted components:

  • Authenticity (30%): inverted AI score. Fewer AI signals = higher score.
  • Security (20%): security headers present out of 6.
  • Launch Readiness (20%): page basics, social tags, responsive design, production hygiene.
  • Legal (15%): privacy policy, terms of service, no unfilled template placeholders.
  • Web Standards (15%): robots.txt, sitemap, responsive viewport, HSTS.

The score is displayed as 0-10 with one decimal place. A score of 9+ means the site is well-built across all dimensions.

Vibe Score (0-100)

Measures how strongly a site's code matches patterns we've empirically observed in AI-assisted builds. A higher score means more of those patterns are present. This is a pattern match, not a verdict: we compare each site against signals we saw consistently across hundreds of controlled AI-generated sites and report how many of those signals are present here. Whether the site was actually built with an LLM is a separate question we can't answer from the outside.

Our detection is informed by controlled research: we generated hundreds of sites using isolated instances of multiple AI models with identical prompts, then analysed the output for statistically consistent patterns. The Vibe Score reports how many of those patterns we find on a given site.

The score combines signals in a few categories:

  • Builder fingerprints: some AI build tools leave identifiable traces in meta tags, asset URLs, or page source. When we identify the specific tool, the score reflects that certainty.
  • Code patterns: AI-generated code has distinctive patterns in comments, structure, naming, and formatting. Different models produce different but consistent patterns.
  • Page structure: AI tools produce pages with predictable layouts, class naming conventions, and content patterns that we can detect even in minified output.
  • Visual and copy signals: certain design choices, typography, and writing patterns are statistically associated with AI output based on our research data.
  • JavaScript and CSS: AI models produce characteristic code structures, variable naming conventions, and boilerplate patterns.
  • Static assets: AI-generated SVGs, stock photo usage, and placeholder content can indicate automated generation.

Known CMS and website builder platforms (Shopify, WordPress, Squarespace, Webflow, etc.) are excluded from comment-based scoring to prevent false positives from template comments.

The Vibe Score is not a judgement. Using LLMs as a build tool is a legitimate choice and plenty of well-crafted sites use AI assistance. The score simply reflects how many of the fingerprints we catalogued are present on a given page. No single signal is conclusive; the score only gets high when multiple independent signals align. A score of 0 means we detected none of the patterns, which does not necessarily mean the site wasn't AI-assisted, only that we didn't find our fingerprints. Treat it as an observation, not a grade.

Launch Readiness (0-100)

Measures whether a site is properly prepared for launch day. The basics that visitors, search engines, and social platforms expect. We check for:

  • Custom page title and meta description
  • Social sharing tags (Open Graph, Twitter cards)
  • Canonical URL
  • Mobile responsiveness
  • Production hygiene (no debug artifacts exposed)
  • Legal pages (privacy policy)
  • Basic branding (favicon)
  • Semantic HTML (proper use of nav, main, article elements)

Score is normalised to 0-100. A perfect score means all checks pass. Sites with unfilled placeholder content (e.g. default API keys, scaffold titles) receive a penalty.

Security Headers (0-6)

Counts how many recommended security headers are present in the HTTP response. We check for six modern security headers that protect against common web vulnerabilities. The legacy X-XSS-Protection header is tracked but not scored as it has been deprecated in favour of Content Security Policy.

Note: some large platforms (e.g. Google, Cloudflare) handle security at infrastructure level rather than through HTTP headers. A low header score on these sites does not necessarily indicate poor security, just that the protections are applied at a layer we cannot observe.

Infrastructure

For each site we collect infrastructure data from public sources:

  • ASN & Hosting: IP address resolved via DNS, ASN looked up via Team Cymru. Reveals the hosting provider and country.
  • SSL Certificate: TLS handshake to extract the certificate issuer, expiry date, and Subject Alternative Name count.
  • Domain Age: registration and expiry dates via RDAP (the modern WHOIS replacement). Registrar name where available.

Some TLDs (.io, .co, .me) do not support RDAP and will not have domain age data. Sites hosted on platform subdomains (e.g. .vercel.app, .netlify.app) show the platform's domain data, not the project's.

AI Stance

Classifies a site's position on AI crawlers based on their public declarations:

  • Open: actively provides content for AI systems (e.g. has an llms.txt file)
  • Blocking: explicitly blocks known AI crawlers in robots.txt
  • No stance: no public declaration either way

Technology Detection

We detect technologies from multiple sources:

  • HTTP headers: server software, CDN, hosting platform, security configuration
  • Rendered HTML: frameworks, libraries, CMS, analytics, payment providers (we execute JavaScript to see the real page)
  • CSP headers: Content Security Policy reveals which third-party services a site has whitelisted
  • Cookies: session cookies reveal backend frameworks (PHP, ASP.NET, Django, Rails, etc.)
  • DNS records: MX records reveal email providers, NS records reveal DNS hosting, TXT records reveal domain verifications (Google Search Console, Stripe, etc.), DKIM records reveal transactional and marketing email services
  • Technology fingerprints: known patterns for frameworks, libraries, and services

Screenshots

We capture a viewport screenshot of every site using a headless browser. This gives an accurate representation of how the page actually renders, including JavaScript-rendered content. Screenshots are taken at 1280x800 resolution.

Data Sources

We discover new product launches from multiple sources:

  • Product Hunt: daily launches via their API
  • Hacker News: Show HN posts via the Firebase API
  • PeerPush: recent launches via their public API

Sites on major platforms (e.g. Amazon, Netflix, Apple) and marketplace listings (e.g. Shopify app store, Chrome Web Store) are filtered out. We focus on independent products with their own websites.