Security glossary
Plain-English definitions for every signal in a trust report.
Security headers
- HSTSHTTP Strict Transport Security
- A response header that tells browsers to only reach this site over HTTPS for a set period, preventing accidental downgrades and cookie theft on hostile networks.
- CSPContent Security Policy
- A header that limits which scripts, styles, and other resources the browser will load. A strong CSP shrinks the blast radius of XSS bugs and malicious third-party code.
- X-Frame-OptionsClickjacking protection
- Tells browsers whether the page can be embedded in an iframe. Prevents clickjacking attacks where an invisible overlay tricks users into clicking hidden buttons.
- X-Content-Type-OptionsMIME sniffing protection
- The value 'nosniff' stops browsers from guessing content types, which blocks a class of attacks that upload script disguised as an image.
- Referrer-PolicyReferrer leakage control
- Controls how much URL information is sent to other sites when a user clicks a link, protecting query-string tokens and internal paths.
- Permissions-PolicyBrowser feature policy
- Declares which browser features (camera, mic, geolocation, etc.) the site itself and embedded third-parties are allowed to use.
Email security
- SPFSender Policy Framework
- A DNS TXT record listing which servers are allowed to send email for a domain. Missing or overly permissive SPF makes spoofing trivial.
- DKIMDomainKeys Identified Mail
- Cryptographically signs outbound email so receiving servers can verify the message wasn't tampered with and really came from the claimed domain.
- DMARCDomain-based Message Authentication
- Builds on SPF and DKIM: tells receivers what to do with mail that fails checks (none, quarantine, reject) and where to send reports. 'p=reject' is the strongest.
Infrastructure
- RDAPRegistration Data Access Protocol
- The modern replacement for WHOIS. Returns structured JSON about a domain's registrar, creation date, expiry, and status codes.
- DNS-over-HTTPSEncrypted DNS lookups
- Resolves domain names over HTTPS instead of plain UDP, so ISPs and networks can't easily inspect or tamper with the lookups.
- Certificate TransparencyPublic log of every SSL certificate
- Certificate authorities publish every certificate they issue to public append-only logs. Tools like crt.sh let anyone audit which certificates exist for a domain.
- CDNContent Delivery Network
- A network of edge servers that cache content close to users. Presence of a reputable CDN correlates with operational maturity and DDoS resilience.
Trust signals
- Domain ageTime since registration
- Very young domains (days to weeks) are disproportionately used for phishing and scams. Age alone doesn't prove safety, but it's a strong prior.
Discoverability
- robots.txtCrawler directive file
- Instructs search engines and bots which paths to avoid. Presence is a small transparency signal; contents can leak internal paths.