Trust Score Remediation Guide

Step-by-step instructions to fix every trust check and improve your score.

Technical Security

SSL Certificate

  1. 1Install a free SSL certificate from Let's Encrypt using Certbot: sudo certbot --nginx -d yourdomain.com
  2. 2If using a hosting panel (cPanel, Plesk), use the built-in SSL tool to issue a Let's Encrypt certificate.
  3. 3Verify the certificate is working by visiting https://yourdomain.com — the browser should show a padlock icon.
  4. 4If using Cloudflare, enable Full (Strict) SSL mode under SSL/TLS settings.

HTTPS Redirect

  1. 1For Nginx, add to your server block: return 301 https://$host$request_uri;
  2. 2For Apache, add to .htaccess: RewriteEngine On / RewriteCond %{HTTPS} off / RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  3. 3For Caddy, HTTPS redirect is automatic — no configuration needed.
  4. 4Test by visiting http://yourdomain.com — it should redirect to https://yourdomain.com.

HSTS (Strict Transport Security)

  1. 1For Nginx, add to your server block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  2. 2For Apache, add to .htaccess: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  3. 3For Caddy, add to your Caddyfile: header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  4. 4Once confirmed working, submit your domain to hstspreload.org for browser preload list inclusion.

Content Security Policy (CSP)

  1. 1Start with a restrictive base policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'
  2. 2For Nginx: add_header Content-Security-Policy "your-policy-here" always;
  3. 3For Caddy: header Content-Security-Policy "your-policy-here"
  4. 4Test your site after adding CSP. If features break, add specific domains to the relevant directive (e.g., script-src 'self' https://cdn.example.com).
  5. 5Use browser developer tools Console tab to identify CSP violations and adjust the policy accordingly.

X-Frame-Options

  1. 1For Nginx: add_header X-Frame-Options "SAMEORIGIN" always;
  2. 2For Apache: Header always set X-Frame-Options "SAMEORIGIN"
  3. 3For Caddy: header X-Frame-Options "SAMEORIGIN"
  4. 4Use DENY instead of SAMEORIGIN if your site should never appear in an iframe.

X-Content-Type-Options

  1. 1For Nginx: add_header X-Content-Type-Options "nosniff" always;
  2. 2For Apache: Header always set X-Content-Type-Options "nosniff"
  3. 3For Caddy: header X-Content-Type-Options "nosniff"
  4. 4This prevents browsers from MIME-type sniffing, which can lead to security vulnerabilities.

Referrer Policy

  1. 1For Nginx: add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  2. 2For Apache: Header always set Referrer-Policy "strict-origin-when-cross-origin"
  3. 3For Caddy: header Referrer-Policy "strict-origin-when-cross-origin"
  4. 4This controls how much referrer information is sent when navigating away from your site.

Permissions Policy

  1. 1For Nginx: add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
  2. 2For Apache: Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
  3. 3For Caddy: header Permissions-Policy "camera=(), microphone=(), geolocation=()"
  4. 4Add additional restrictions as needed: payment=(), usb=(), magnetometer=(), gyroscope=()

Server Header Safe

  1. 1For Nginx, hide the version: server_tokens off; in your nginx.conf http block.
  2. 2For Apache: ServerTokens Prod and ServerSignature Off in httpd.conf.
  3. 3Avoid exposing X-Powered-By headers — in Express.js: app.disable('x-powered-by');
  4. 4The goal is to prevent attackers from identifying your exact server software and version.

TLS Version

  1. 1For Nginx: ssl_protocols TLSv1.2 TLSv1.3; (disable TLSv1.0 and TLSv1.1)
  2. 2For Apache: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  3. 3For Caddy: TLS 1.2+ is the default — no changes needed.
  4. 4Test your TLS configuration at ssllabs.com/ssltest — aim for an A or A+ rating.

Cipher Strength

  1. 1For Nginx: ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
  2. 2Add ssl_prefer_server_ciphers off; to let modern clients choose the best cipher.
  3. 3For Apache: SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!RC4
  4. 4256-bit AES-GCM ciphers with TLS 1.3 provide the best security.

Trusted Certificate Issuer

  1. 1Use a certificate from a trusted Certificate Authority (CA) like Let's Encrypt, DigiCert, or Sectigo.
  2. 2Never use self-signed certificates in production — they are not trusted by browsers or crawlers.
  3. 3Let's Encrypt is free and automated: sudo certbot certonly --nginx -d yourdomain.com
  4. 4Set up automatic renewal: sudo certbot renew --dry-run to verify, then cron or systemd timer for automation.

Certificate Expiry

  1. 1Check your certificate expiry: echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
  2. 2Set up automatic renewal with Certbot: certbot renew runs via cron or systemd timer.
  3. 3For Caddy, certificate renewal is fully automatic — no action needed.
  4. 4Set a calendar reminder 2 weeks before expiry as a backup in case auto-renewal fails.

DNS Resolution

  1. 1Log into your domain registrar and ensure A records point to your server's IP address.
  2. 2Verify with: nslookup yourdomain.com 8.8.8.8 — it should return your server IP.
  3. 3If using a CDN like Cloudflare, ensure the DNS record is proxied (orange cloud) or direct as needed.
  4. 4DNS changes can take up to 48 hours to propagate, but typically complete within 15 minutes.

MX Records

  1. 1Log into your domain registrar's DNS management panel.
  2. 2Add MX records pointing to your email provider (e.g., for Google Workspace: ASPMX.L.GOOGLE.COM with priority 1).
  3. 3For MXroute: add heracles.mxrouting.net (priority 10) and heracles-relay.mxrouting.net (priority 20).
  4. 4Verify with: nslookup -type=MX yourdomain.com 8.8.8.8

SPF Record

  1. 1Add a TXT record at your domain root with your SPF policy.
  2. 2Example for MXroute: v=spf1 include:mxroute.com -all
  3. 3Example for Google Workspace: v=spf1 include:_spf.google.com -all
  4. 4Use -all (hard fail) instead of ~all (soft fail) for strongest protection.
  5. 5Verify with: nslookup -type=TXT yourdomain.com 8.8.8.8 | grep spf

DKIM Record

  1. 1Generate a DKIM key pair through your email provider's admin panel.
  2. 2For MXroute: find your DKIM public key in the cPanel Email Deliverability section.
  3. 3Add a TXT record at selector._domainkey.yourdomain.com with the public key value.
  4. 4Common selectors: 'default', 'google', 'selector1', 'x', 'mail' — your provider will specify which to use.
  5. 5Verify with: nslookup -type=TXT selector._domainkey.yourdomain.com 8.8.8.8

DMARC Record

  1. 1Add a TXT record at _dmarc.yourdomain.com
  2. 2Recommended value: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
  3. 3Start with p=none to monitor, then move to p=quarantine, then p=reject once confirmed.
  4. 4The rua= address receives aggregate reports showing who is sending email as your domain.
  5. 5Verify with: nslookup -type=TXT _dmarc.yourdomain.com 8.8.8.8

DNSSEC

  1. 1Log into your domain registrar (e.g., Namecheap, Cloudflare, GoDaddy).
  2. 2Look for 'DNSSEC' in the domain settings — enable it with one click on most registrars.
  3. 3If your DNS is hosted separately from the registrar, you'll need to add DS records at the registrar pointing to your DNS provider's DNSSEC keys.
  4. 4Verify with: dig +dnssec yourdomain.com or check at dnsviz.net

CAA Records

  1. 1Add CAA DNS records to restrict which Certificate Authorities can issue certificates for your domain.
  2. 2For Let's Encrypt only: add two CAA records — 0 issue "letsencrypt.org" and 0 issuewild "letsencrypt.org"
  3. 3In your DNS management panel, create a CAA record with flag 0, tag 'issue', value 'letsencrypt.org'.
  4. 4Verify with: dig CAA yourdomain.com or nslookup -type=CAA yourdomain.com 8.8.8.8

Content Quality

Privacy Policy

  1. 1Create a /privacy page on your website describing how you collect, use, and protect user data.
  2. 2Include sections on: data collection, cookies, third-party services, user rights, and contact information.
  3. 3Free generators like privacypolicygenerator.info can create a starting template — customize it for your site.
  4. 4Link to the privacy policy from your website footer so it's accessible from every page.

Terms of Service

  1. 1Create a /terms page outlining the rules and conditions for using your website or service.
  2. 2Include sections on: acceptable use, intellectual property, liability limitations, and governing law.
  3. 3Free generators like termsofservicegenerator.net can create a starting template — customize it for your business.
  4. 4Link to the terms of service from your website footer alongside your privacy policy.

Contact Page

  1. 1Create a /contact page with at least one way for visitors to reach you.
  2. 2Include an email address, contact form, phone number, or physical address.
  3. 3Add a link to the contact page in your website header or footer navigation.
  4. 4A visible contact page builds trust by showing there are real people behind the website.

Meta Description

  1. 1Add a <meta name="description" content="..."> tag in the <head> of your homepage.
  2. 2Keep it between 150-160 characters and accurately describe your site's purpose.
  3. 3Example: <meta name="description" content="Professional IT services and computer repair in Lake Forest, CA. On-site and remote support for businesses and individuals.">
  4. 4Each page should have a unique meta description — avoid duplicates.

Favicon

  1. 1Create a square icon (at least 32x32 pixels, ideally 512x512) representing your brand.
  2. 2Use realfavicongenerator.net to generate all favicon sizes and formats from a single image.
  3. 3Add the generated files to your site root and the <link> tags to your HTML <head>.
  4. 4At minimum: <link rel="icon" href="/favicon.ico"> in your <head> tag.

No Mixed Content

  1. 1Open your site in Chrome, press F12, and check the Console tab for 'Mixed Content' warnings.
  2. 2Change all http:// resource URLs (images, scripts, styles) to https:// or use protocol-relative //.
  3. 3If you use a CMS like WordPress, use the 'Better Search Replace' plugin to update all URLs in the database.
  4. 4Add upgrade-insecure-requests to your CSP header to automatically upgrade HTTP requests: Content-Security-Policy: upgrade-insecure-requests

Content Quality

  1. 1Ensure your homepage has at least 300 words of meaningful, original content.
  2. 2Describe your business, services, or purpose clearly for both humans and search engines.
  3. 3Avoid thin or placeholder content — each page should provide genuine value to visitors.
  4. 4Use proper HTML headings (h1, h2, h3) to structure your content logically.

Reputation

Domain Age

  1. 1Domain age is a trust signal that improves naturally over time — there is no shortcut.
  2. 2Newer domains (under 1 year) receive lower scores. Domains over 5 years receive full points.
  3. 3Avoid letting your domain expire and re-registering it, as this resets the age signal.
  4. 4Register your domain for multiple years to signal long-term commitment.

Google Safe Browsing

  1. 1Check your site status at transparencyreport.google.com/safe-browsing/search
  2. 2If flagged, identify and remove malware, phishing pages, or deceptive content from your site.
  3. 3Submit a review request through Google Search Console after cleaning up.
  4. 4Prevent future issues: keep all software updated, use strong passwords, and monitor file changes.

Abuse Contact

  1. 1This check verifies that an abuse contact exists in your domain's RDAP/WHOIS data.
  2. 2Most registrars (Namecheap, Cloudflare, GoDaddy) automatically publish an abuse contact — this usually passes by default.
  3. 3If failing, contact your registrar to ensure their RDAP response includes an entity with the 'abuse' role.
  4. 4You can check your RDAP data at: rdap.org/domain/yourdomain.com

No Suspicious Redirects

  1. 1Ensure your homepage does not redirect visitors to a completely different domain.
  2. 2Redirects within your own domain (e.g., non-www to www) are fine and expected.
  3. 3If you've moved to a new domain, update your AI-Signed profile to use the new domain instead.
  4. 4Check with: curl -I https://yourdomain.com — the Location header should stay on your domain.

Server Responds

  1. 1Ensure your web server returns a 200 OK status on the homepage.
  2. 2Check with: curl -I https://yourdomain.com — the first line should say HTTP/2 200 or HTTP/1.1 200 OK.
  3. 3If your server is down, check your hosting provider's status page and restart services if needed.
  4. 4Common causes: expired hosting, misconfigured DNS, or firewall blocking requests.

Identity

DNS Verified

  1. 1Log into your AI-Signed dashboard and find the DNS verification token for your domain.
  2. 2Add a TXT record at your domain root with the value: ai-signed-verify=YOUR_TOKEN
  3. 3In your DNS management panel, create a TXT record with the full token value.
  4. 4Click 'Verify' in the AI-Signed dashboard once the DNS record has propagated (usually 5-15 minutes).

WHOIS Public

  1. 1Log into your domain registrar's account settings.
  2. 2Look for 'WHOIS Privacy' or 'Domain Privacy' and disable it to make registrant info public.
  3. 3Note: this exposes your name and contact info publicly. Some registrars offer partial disclosure.
  4. 4This check awards partial credit (5/20) even with privacy enabled, so the impact is modest.

Organization Consistency

  1. 1Use an email address on a domain that matches your website (e.g., admin@yourdomain.com).
  2. 2Avoid using free email providers (Gmail, Yahoo) for your AI-Signed account if possible.
  3. 3This verifies that the same organization controls both the website and the associated email.
  4. 4Update your AI-Signed account email in the dashboard settings if needed.

Payment Verified

  1. 1Subscribe to an AI-Signed plan to complete payment verification.
  2. 2This confirms a real payment method is associated with the account, adding an identity trust signal.
  3. 3Visit ai-signed.com/pricing to view available plans.
  4. 4Free accounts receive partial credit; paid accounts receive full points.

AI Readiness

Sitemap

  1. 1Create a sitemap.xml file listing all public pages on your site.
  2. 2For static sites, use a generator like xml-sitemaps.com to crawl and generate one.
  3. 3For Next.js: create src/app/sitemap.ts exporting a function that returns your URLs.
  4. 4For WordPress: install Yoast SEO or Google XML Sitemaps plugin — it generates one automatically.
  5. 5Place the file at yourdomain.com/sitemap.xml and reference it in your robots.txt.

Robots.txt

  1. 1Create a robots.txt file at the root of your website (yourdomain.com/robots.txt).
  2. 2Allow all major crawlers: User-agent: * / Allow: /
  3. 3Block private areas: Disallow: /admin / Disallow: /api/
  4. 4Add your sitemap reference: Sitemap: https://yourdomain.com/sitemap.xml
  5. 5Specifically allow AI crawlers: do NOT block GPTBot, ClaudeBot, or Google-Extended.

Structured Data

  1. 1Add JSON-LD structured data in a <script type="application/ld+json"> tag in your page <head>.
  2. 2At minimum, add Organization and WebSite schema types with your name, URL, and description.
  3. 3Add Open Graph meta tags: og:title, og:description, og:image, og:url for rich social sharing.
  4. 4Test your structured data at search.google.com/test/rich-results
  5. 5Use schema.org as a reference for available types and properties.

llms.txt

  1. 1Create a /llms.txt file at your site root describing your site for AI language models.
  2. 2Include: site name, purpose, key services, contact info, and any usage guidelines.
  3. 3Format it as plain text, readable by both humans and AI systems.
  4. 4Example content: '# YourSite.com\nPurpose: Professional IT services\nServices: Computer repair, network setup, consulting\nContact: info@yourdomain.com'
  5. 5Learn more about the standard at llmstxt.org

AI Plugin Manifest

  1. 1Create the file at /.well-known/ai-plugin.json on your site.
  2. 2Minimum required fields: schema_version, name_for_human, name_for_model, description_for_human, description_for_model, auth (type: none), api (type: openapi, url to your spec).
  3. 3Example: {"schema_version": "v1", "name_for_human": "Your Site", "name_for_model": "yoursite", "description_for_human": "Description here", "description_for_model": "Description here", "auth": {"type": "none"}, "api": {"type": "openapi", "url": "https://yourdomain.com/openapi.json"}}
  4. 4This enables AI agents and ChatGPT plugins to discover and interact with your site.

API Documentation

  1. 1Create an OpenAPI (Swagger) specification file at /openapi.json or /docs on your site.
  2. 2The spec should describe your public API endpoints, if any, in OpenAPI 3.0 format.
  3. 3If you don't have an API, create a minimal spec describing your site: {"openapi": "3.0.0", "info": {"title": "Your Site", "version": "1.0.0"}, "paths": {}}
  4. 4You can also redirect /docs to your documentation page — the scanner checks both paths.

Security.txt

  1. 1Create the file at /.well-known/security.txt on your site.
  2. 2Include at minimum a Contact field: Contact: mailto:security@yourdomain.com
  3. 3Recommended additional fields: Expires (ISO date), Preferred-Languages, Policy (link to your security policy).
  4. 4Example: Contact: mailto:security@yourdomain.com\nExpires: 2027-01-01T00:00:00.000Z\nPreferred-Languages: en
  5. 5This follows the RFC 9116 standard and helps security researchers report vulnerabilities responsibly.

Still need help? Sign up for AI-Signed and get monthly rescans to track your progress.