Included from Free

Site Trust & Security

A trust and security scorecard for your site — before Google or a customer finds the problem.

Part of the Novaverb platform — every system runs on your own crawl, Search Console and analytics data.

Most security tools either overwhelm you with raw scanner noise or quietly guess at gaps they never actually measured. You need a trust picture built only from what your site truly exposes, with a clear fix for every finding.

Site Trust & Security scores your site's HTTP trust signals and security headers from a real crawl, and runs an automated pentest for exposed database ports and leaked backup files.

Why teams choose it

What you get

Trust at a glance

A composite trust score from real captured signals — HTTPS, headers and configuration — so you see risk before it costs you.

Automated pentest

Detect exposed database ports and leaked backup files (.sql dumps, .env, .git) that quietly leak your data.

Header coverage

HSTS, CSP and X-Frame-Options coverage graded, with the exact fix for each gap.

Capabilities

Inside Site Trust & Security

01

Weighted site trust score

A single 0-100 trust score is computed across every crawled HTML page from four weighted factors: HTTPS coverage, security-header strength, freedom from mixed content, and Cache-Control hygiene. When there are no crawled pages to observe, the score is reported as insufficient rather than a fabricated zero. Each factor shows its own coverage percentage and the exact page counts behind it.

  • HTTPS coverage weighted at 40%
  • HTTP to HTTPS redirect enforcement
  • Mixed-content pages loading http:// subresources
  • Cache-Control header coverage
02

Per-header security scorecard

Coverage is scored for the six standard response headers: Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. CSP is credited by policy strength, so a real default-src/script-src policy earns full credit while an upgrade-insecure-requests-only header is flagged as weak. A header stored as empty means the site genuinely never sent it, which is treated as a true missing finding, not a capture gap.

  • CSP scored by policy strength
  • HSTS, X-Frame-Options, nosniff coverage
  • Referrer-Policy and Permissions-Policy
  • Per-page missing-header counts
03

Ownership-gated exposure scan

For a domain you have verified you own, an active scan probes for exposed files, checks the live TLS certificate, and detects publicly open ports. It looks for leaks such as .env, .git/config, database dumps and config backups, reads the certificate issuer and days-to-expiry, and flags disclosed server banners or X-Powered-By values. For anyone else the domain stays unverified, so these signals read as not checked and never dock the score with a failure that was never measured.

  • Exposed .env, .git and backup-file probes
  • Live TLS validity, issuer and expiry
  • Open-port detection (FTP, Telnet, database, Redis)
  • Server banner and X-Powered-By disclosure
Real data

What you can see

Concrete signals this system surfaces — measured, never fabricated.

HTTPS coverage across all crawled pagesHTTP to HTTPS redirect enforcementSix-header coverage with CSP strength gradingMixed-content pages on secure URLsCache-Control header hygieneExposed .env, .git and database-dump probesLive TLS certificate validity and expiry windowOpen-port and server-banner disclosure
How it works

From signal to action

1

Crawl the site

Every HTML page's HTTPS status, response headers and mixed-content signals are captured during the crawl.

2

Score the factors

HTTPS coverage, header strength, mixed content and cache hygiene are combined into one weighted trust score.

3

Verify ownership

For a domain you have verified, an active scan adds live TLS, open-port and exposed-file checks.

4

Fix each finding

Every issue arrives as an atom with evidence and a copy-ready server-config fix.

What's included

Security Headers

In your plan

Automated pentest (exposed ports & backup leaks) on Pro+
Compare plans →
Who it's for

Built for how you work

Site owner

Get one honest trust score and a prioritized list of the exact headers and exposures to fix first.

Agency or consultant

Run a repeatable HTTP-level security audit on a client site and hand over evidence-backed remediation steps.

Developer

Confirm that HTTPS is enforced, security headers are set, and no config or backup files are publicly reachable before launch.

The honest difference

Built to be trusted

No crawled pages means an honest insufficient state, never a fabricated zero-score at-risk verdict.
The active TLS, port and leak scan runs only on a domain you have verified you own, so others see not checked rather than a false fail.
Every finding carries real evidence and a copy-ready fix, such as the exact server directive to hide a version banner.
FAQ

Common questions

Do you access my server over SSH?

No. All checks are HTTP-level and network-level; the scan detects publicly open ports but never logs in or touches the filesystem.

Why is a header shown as missing when I think I set it?

The scorecard reads the value actually captured on each page; an empty value means that page did not send the header in its response.

What happens if a certificate probe times out?

It is reported as not checked, not as an invalid certificate, so a connection we could not complete never fabricates a failure.

Why can't I see the active exposure scan?

The exposed-file, TLS and port scan only runs once you have verified ownership of the domain, which keeps active probing to sites you control.

Site Trust & Security, and the whole platform behind it.

Request your invite to start, or see exactly what's included at each tier.