Site Trust & Security
A trust and security scorecard for your site — before Google or a customer finds the problem.
Most security tools either overwhelm you with raw scanner noise or quietly guess at gaps they never actually measured. You need a trust picture built only from what your site truly exposes, with a clear fix for every finding.
Site Trust & Security scores your site's HTTP trust signals and security headers from a real crawl, and runs an automated pentest for exposed database ports and leaked backup files.
What you get
Trust at a glance
A composite trust score from real captured signals — HTTPS, headers and configuration — so you see risk before it costs you.
Automated pentest
Detect exposed database ports and leaked backup files (.sql dumps, .env, .git) that quietly leak your data.
Header coverage
HSTS, CSP and X-Frame-Options coverage graded, with the exact fix for each gap.
Inside Site Trust & Security
Weighted site trust score
A single 0-100 trust score is computed across every crawled HTML page from four weighted factors: HTTPS coverage, security-header strength, freedom from mixed content, and Cache-Control hygiene. When there are no crawled pages to observe, the score is reported as insufficient rather than a fabricated zero. Each factor shows its own coverage percentage and the exact page counts behind it.
- HTTPS coverage weighted at 40%
- HTTP to HTTPS redirect enforcement
- Mixed-content pages loading http:// subresources
- Cache-Control header coverage
Per-header security scorecard
Coverage is scored for the six standard response headers: Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. CSP is credited by policy strength, so a real default-src/script-src policy earns full credit while an upgrade-insecure-requests-only header is flagged as weak. A header stored as empty means the site genuinely never sent it, which is treated as a true missing finding, not a capture gap.
- CSP scored by policy strength
- HSTS, X-Frame-Options, nosniff coverage
- Referrer-Policy and Permissions-Policy
- Per-page missing-header counts
Ownership-gated exposure scan
For a domain you have verified you own, an active scan probes for exposed files, checks the live TLS certificate, and detects publicly open ports. It looks for leaks such as .env, .git/config, database dumps and config backups, reads the certificate issuer and days-to-expiry, and flags disclosed server banners or X-Powered-By values. For anyone else the domain stays unverified, so these signals read as not checked and never dock the score with a failure that was never measured.
- Exposed .env, .git and backup-file probes
- Live TLS validity, issuer and expiry
- Open-port detection (FTP, Telnet, database, Redis)
- Server banner and X-Powered-By disclosure
What you can see
Concrete signals this system surfaces — measured, never fabricated.
From signal to action
Crawl the site
Every HTML page's HTTPS status, response headers and mixed-content signals are captured during the crawl.
Score the factors
HTTPS coverage, header strength, mixed content and cache hygiene are combined into one weighted trust score.
Verify ownership
For a domain you have verified, an active scan adds live TLS, open-port and exposed-file checks.
Fix each finding
Every issue arrives as an atom with evidence and a copy-ready server-config fix.
What's included
Built for how you work
Get one honest trust score and a prioritized list of the exact headers and exposures to fix first.
Run a repeatable HTTP-level security audit on a client site and hand over evidence-backed remediation steps.
Confirm that HTTPS is enforced, security headers are set, and no config or backup files are publicly reachable before launch.
Built to be trusted
Common questions
Do you access my server over SSH?
No. All checks are HTTP-level and network-level; the scan detects publicly open ports but never logs in or touches the filesystem.
Why is a header shown as missing when I think I set it?
The scorecard reads the value actually captured on each page; an empty value means that page did not send the header in its response.
What happens if a certificate probe times out?
It is reported as not checked, not as an invalid certificate, so a connection we could not complete never fabricates a failure.
Why can't I see the active exposure scan?
The exposed-file, TLS and port scan only runs once you have verified ownership of the domain, which keeps active probing to sites you control.
Site Trust & Security, and the whole platform behind it.
Request your invite to start, or see exactly what's included at each tier.