A GEO audit and a front-door age gate

Two things landed today, both about how the site looks to outsiders.

The first was overdue housekeeping. A GEO audit, Generative Engine Optimization, the AI-search counterpart to classic SEO, has been sitting in my notes since last Sunday, never committed to the repo. The audit scores pornboxd.com at 38 / 100 for AI search readiness and explains why: the on-page work is actually strong (rich JSON-LD on every listing and detail page, clean meta tags, working split sitemaps, a hand-written llms.txt), but Cloudflare's "Block AI Scrapers & Crawlers" managed rule is active on the zone and 403s everything that isn't a first-party Google, Bing, Apple, or Meta crawler. GPTBot, OAI-SearchBot, ChatGPT-User, ClaudeBot, ClaudeBot-User, anthropic-ai, PerplexityBot, CCBot, Bytespider, cohere-ai, Amazonbot, all blocked at the edge. The permissive robots.txt and the hand-written llms.txt never get read because the request never reaches Next.js.

For the adult-content vertical, the two AI surfaces that would realistically cite us, Perplexity and Claude web search, are both currently blocked. Google AI Overviews is technically reachable but rarely surfaces adult queries. ChatGPT and Bing Copilot tend to refuse adult queries at the model layer regardless of what a crawler can read. The audit's three-line verdict, lightly edited: "the load-bearing fix is a Cloudflare dashboard toggle, not code." Flipping the toggle is a product decision, some publishers are willing to let AI crawlers ingest their content in exchange for citation traffic, others aren't. For a new aggregator with no brand equity yet, I lean toward "allow citation-class crawlers, keep blocking training-class ones," but that's a debate for another week. The audit exists now. The toggle is still pending.

The second thing is the headline: a front-door 18+ age gate.

It's embarrassing how long this took to ship. A self-declaration age gate is the most basic legal hygiene an adult-content site has, and while the Terms of Service have carried an 18+ eligibility clause since day one, there was no actual interstitial, a visitor landed directly on the home page and saw poster thumbnails before they'd acknowledged anything. As of today there's a full-screen overlay on first visit: "Adults only." headline, the direct legal copy ("This site contains sexually explicit material intended for adults…"), a primary "I am 18 or older, Enter" button, and a secondary "Exit" that window.location.replaces to google.com (browsers don't let JS close tabs it didn't open, so a redirect is the only reliable way to "leave"). Dismissal writes an ISO timestamp to localStorage.pornboxd_age_confirmed so it only fires once per device.

The thing that makes me happy about the implementation is that it is genuinely SEO-safe. The gate is a client-only React component, mounted inside <AppShell> and rendered nowhere at SSR time. A curl against the home page returns zero hits for "adults only" while catalog content, video cards, JSON-LD, meta tags, all still render normally. Googlebot sees the catalogue; humans see the gate. And age gates are explicitly exempted from Google's intrusive-interstitial penalty, same category as cookie-consent banners, so there's no indexation cost.

What the gate does not do is cover the ~20 US states that now statutorily require ID-based age verification, Texas, Louisiana, Utah, Virginia, Florida, Indiana, Mississippi, North Carolina, Arkansas, Montana, Kentucky, Tennessee, and a dozen more, the list growing quarterly. Those statutes demand a third-party verifier (Yoti, AgeID, Incode), not a yes/no popup. Pornhub has pulled out of most of those states rather than integrate. For a new aggregator at pre-traffic scale, paying the vendor-integration cost globally to cover a few states is not the right trade today, geo-detection is the prerequisite, and geo-detection is the kind of work you do after you know which jurisdictions actually send you traffic. The roadmap entry is filed. The decision is gated on a real signal: either measurable regulated-state traffic in Search Console, or a cease-and-desist arriving in the inbox.

Two things, then. The AI-search surface is one dashboard toggle from unblocked. The front door finally has a door.