Sample Report
This is a sample of what a Website Trust & Security Snapshot report looks like when you order one for your website. Actual reports are customized to your website and business context.
Website Trust & Security Snapshot
example-shop.com · Assessment Date: 2026-05-14
Grade
Executive Summary
example-shop.com has a working HTTPS setup (good), but is missing two critical security headers: CSP and HSTS. These gaps increase the risk of client-side attacks and could affect customer trust. Email authentication (SPF) is properly configured, but the DMARC policy is in monitoring-only mode, meaning email spoofing is still possible. No sensitive files were found exposed. Overall trust score: 62/100 (Grade C).
Detailed Findings
HTTPS Enabled
Your website is served over HTTPS with a valid TLS certificate. All traffic is encrypted.
Recommendation: Maintain HTTPS. Ensure auto-renewal of TLS certificate (current expiry: 89 days).
Content-Security-Policy Header
The CSP header is missing. Without CSP, your site is more vulnerable to cross-site scripting (XSS) and data injection attacks. This can affect customer trust and Google ranking.
Not presentRecommendation: Add a Content-Security-Policy header. Start with a report-only policy, monitor violations, then enforce.
HSTS (HTTP Strict-Transport-Security)
HSTS header is missing. Browsers won't know to always use HTTPS for your domain, increasing the risk of man-in-the-middle attacks.
Not presentRecommendation: Add the Strict-Transport-Security header with a max-age of at least 31536000 (1 year).
DMARC Record
DMARC record exists but policy is set to "none" (monitoring only). Emails that fail SPF/DKIM are not rejected, meaning your domain can still be spoofed.
v=DMARC1; p=none; rua=mailto:[email protected]Recommendation: After confirming legitimate email sources in DMARC reports, change policy from p=none to p=quarantine, then eventually to p=reject.
SPF Record
SPF record is present with a hard fail policy (-all). Unauthorized servers will be rejected.
Recommendation: Review authorized sending services periodically to ensure the SPF record stays current.
robots.txt Present
robots.txt file found and includes a Sitemap reference. No sensitive paths exposed.
Recommendation: No action needed. This is good practice for search engines and security transparency.
security.txt Not Found
No security.txt file was found at /.well-known/security.txt. This file is recommended by RFC 9116 to help security researchers know how to report vulnerabilities.
Recommendation: Consider adding a security.txt file with a contact email for security issue reports.
Public .env File Exposure
No .env, .git/config, backup archives, or other sensitive files found exposed on the web server.
Recommendation: Continue good practices: keep configuration files out of the web root.
This is a sample report for demonstration purposes. Real assessments are customized to your website and include business-impact context, prioritized recommendations, and specific remediation guidance. Written authorization is required before any real assessment.
Want a Real Report for Your Website?
Every report includes business-focused findings, practical guidance, and a score you can track over time.