Skip to main content

Security glossary

Plain-English definitions for every signal in a trust report.

Security headers

HSTSHTTP Strict Transport Security
A response header that tells browsers to only reach this site over HTTPS for a set period, preventing accidental downgrades and cookie theft on hostile networks.
CSPContent Security Policy
A header that limits which scripts, styles, and other resources the browser will load. A strong CSP shrinks the blast radius of XSS bugs and malicious third-party code.
X-Frame-OptionsClickjacking protection
Tells browsers whether the page can be embedded in an iframe. Prevents clickjacking attacks where an invisible overlay tricks users into clicking hidden buttons.
X-Content-Type-OptionsMIME sniffing protection
The value 'nosniff' stops browsers from guessing content types, which blocks a class of attacks that upload script disguised as an image.
Referrer-PolicyReferrer leakage control
Controls how much URL information is sent to other sites when a user clicks a link, protecting query-string tokens and internal paths.
Permissions-PolicyBrowser feature policy
Declares which browser features (camera, mic, geolocation, etc.) the site itself and embedded third-parties are allowed to use.

Email security

SPFSender Policy Framework
A DNS TXT record listing which servers are allowed to send email for a domain. Missing or overly permissive SPF makes spoofing trivial.
DKIMDomainKeys Identified Mail
Cryptographically signs outbound email so receiving servers can verify the message wasn't tampered with and really came from the claimed domain.
DMARCDomain-based Message Authentication
Builds on SPF and DKIM: tells receivers what to do with mail that fails checks (none, quarantine, reject) and where to send reports. 'p=reject' is the strongest.

Infrastructure

RDAPRegistration Data Access Protocol
The modern replacement for WHOIS. Returns structured JSON about a domain's registrar, creation date, expiry, and status codes.
DNS-over-HTTPSEncrypted DNS lookups
Resolves domain names over HTTPS instead of plain UDP, so ISPs and networks can't easily inspect or tamper with the lookups.
Certificate TransparencyPublic log of every SSL certificate
Certificate authorities publish every certificate they issue to public append-only logs. Tools like crt.sh let anyone audit which certificates exist for a domain.
CDNContent Delivery Network
A network of edge servers that cache content close to users. Presence of a reputable CDN correlates with operational maturity and DDoS resilience.

Trust signals

Domain ageTime since registration
Very young domains (days to weeks) are disproportionately used for phishing and scams. Age alone doesn't prove safety, but it's a strong prior.

Discoverability

robots.txtCrawler directive file
Instructs search engines and bots which paths to avoid. Presence is a small transparency signal; contents can leak internal paths.