C
CertPilot

Free trust-signals checker

Client Website Trust Check

Passively check public trust signals on any client website — HTTPS, TLS health, security headers, cookie flags, and DNS trust records.

No signup. No scanning. No vulnerability claims. We check what is publicly visible in the server response.

This check reports publicly visible trust signals only. It is not a security audit, vulnerability scan, penetration test, or compliance assessment. Signals not visible in the server response we checked may be enforced at other layers.

Enter a publicly accessible URL. We check the root domain for HTTPS, TLS, headers, cookies, security.txt, robots.txt, and CAA records.

What this checks

  • HTTP → HTTPS redirect
  • TLS certificate presence and expiry
  • TLS certificate issuer
  • Strict-Transport-Security (HSTS)
  • X-Content-Type-Options
  • X-Frame-Options / CSP frame-ancestors
  • Referrer-Policy
  • Permissions-Policy
  • Content-Security-Policy
  • Cookie Secure and HttpOnly flags
  • security.txt (RFC 9116)
  • robots.txt
  • sitemap.xml
  • CAA DNS record

What this does not check

  • Vulnerabilities or exploits
  • Malware or suspicious code
  • SPF / DMARC / DKIM (use Inbox Pulse)
  • WordPress plugin versions
  • Port scanning
  • Server fingerprinting
  • JavaScript-rendered content
  • Legal compliance (GDPR, HIPAA, etc.)
  • Penetration test findings

Frequently Asked Questions

What does a trust check score mean?

The score reflects how many publicly visible trust signals are present in the server response. A high score means the site exposes security headers, HTTPS enforcement, cookie protection flags, and DNS trust records that browsers, crawlers, and security tools expect to see. It is not a security audit.

Does this tool claim a site is secure or insecure?

No. This tool only reports publicly visible signals. A site can have strong trust signals and still have vulnerabilities, or it can lack some signals and still be secure in other ways. We report what is visible — nothing more.

What is security.txt?

security.txt (RFC 9116) is a standard file at /.well-known/security.txt that tells security researchers how to report vulnerabilities to the site owner. Its absence is not a security flaw, but publishing one is considered a good practice for any organization.

Why does cookie flag checking only look at the homepage?

We check the Set-Cookie headers returned on the homepage response. Cookies set on other pages, after login, or via JavaScript are not visible in this passive check. This is a limitation of static analysis — a cookie flag issue here indicates a likely pattern worth investigating further.

What is a CAA record?

A CAA (Certificate Authority Authorization) DNS record tells certificate authorities which CAs are permitted to issue TLS certificates for your domain. Without a CAA record, any trusted CA can issue a certificate. Adding one reduces the risk of misissued certificates.

Does this tool scan for vulnerabilities?

No. This is a passive check of publicly visible response headers, certificate data, DNS records, and well-known files. It does not perform port scanning, inject payloads, test authentication, analyze source code, or attempt to find exploitable conditions.

What happens to URLs I submit?

We fetch the site server-side to perform the check. We do not store the URL, log it, or associate it with your session. Results are cached in memory for up to 60 seconds to avoid redundant fetches to the same domain.
← View all free tools