Report guide
Reading your WebTrustScore report
Every term that appears on a WebTrustScore report, in plain language — what each line means, how it is measured, and how it moves the score.
Understanding the score
| Term | What it means |
|---|---|
| Overall score (0–1000) | The single headline number, from 0 to 1000 — higher is better. It is a weighted blend of the categories below; nothing else moves it. |
| Band | The word beside the score, such as Strong or Average, that groups the number into a plain-language tier. A label for the score, not a separate measurement. |
| Weight | How much a category counts toward the overall score. The weights add up to 100%, so a higher-weighted category moves the score more. |
| Data coverage | How much of a category's evidence we could actually collect — shown as Full data, Partial data, No data, or Unverifiable. |
| Confidence | The percentage beside data coverage: how complete the evidence behind a category is. Lower coverage lowers confidence, never the score silently. |
| Excluded category | A category we could not evaluate at all is dropped and the rest are re-weighted, rather than counted as zero. Excluded categories show a dash. |
The five trust categories
| Category | Weight | What it means |
|---|---|---|
| Security posture | 28% | Whether the site protects visitors in transit: HTTPS by default, an HTTP→HTTPS redirect, secure response headers, and a clean malware/phishing reputation. |
| Ownership identity | 20% | How clearly the site and its owner can be identified: registration records, organization metadata, a reachable contact path, and structured organization data. |
| Reputation history | 20% | The domain’s track record: how long it has been registered, its history with us, and third-party abuse signals. |
| Consumer transparency | 17% | Whether the site publishes the policies a visitor expects: privacy policy, terms, contact details, and — for shops — returns and cookie notices. |
| Operational resilience | 15% | Operational hygiene that keeps a site dependable: multiple nameservers, DNSSEC, and correctly configured mail and certificate records. |
What the evidence lines mean
Security posture
| Term | What it means |
|---|---|
| HTTPS reachable | Whether the site loads over HTTPS at all — the baseline for any secure connection. |
| HTTP status | The HTTP status code the homepage returned (200 means it loaded normally). |
| HTTP → HTTPS redirect | Whether plain http:// requests are upgraded to https:// automatically, so visitors are never left on an unencrypted connection. |
| Security headers | How many of six recommended security response headers (such as HSTS and X-Content-Type-Options) the site sets. |
| Malware / phishing (Web Risk) | Whether the domain appears on Google’s Web Risk malware/phishing lists. Clean is good; flagged is a serious warning. |
Ownership identity
| Term | What it means |
|---|---|
| Registrar | The company the domain is registered through, from registry records. |
| Domain registration (RDAP) | Registration data pulled live from the registry (the modern replacement for WHOIS): the registrar, and when the domain was created. |
| Organization metadata | Whether the registration names a real organization rather than hiding behind privacy redaction only. |
| Abuse contact | Whether an abuse-reporting contact is published for the domain. |
| Contact path on site | Whether the site offers a reachable way to get in touch — a contact page, email, or form. |
| Organization structured data | Whether the page publishes structured Organization data (schema.org JSON-LD) that identifies who runs it. |
Reputation history
| Term | What it means |
|---|---|
| Domain age | How long ago the domain was first registered, from public registry records. Older domains are harder to fake. |
| Prior scans | How many times we have scored this domain before — a longer history adds context. |
| Last score | The score from the most recent previous scan, for comparison. |
Consumer transparency
| Term | What it means |
|---|---|
| Privacy · Terms · Contact · Returns · Cookies | Whether the site publishes the policy pages visitors expect — privacy, terms, contact, and, for shops, returns and cookie notices. Each is marked present or missing. |
Operational resilience
| Term | What it means |
|---|---|
| Nameservers | The servers that answer DNS for the domain. Two or more is normal and points to a properly run domain. |
| DNSSEC | A cryptographic signature on the domain’s DNS records that stops attackers from forging them. Present or absent. |
| Mail records (MX) | Mail (MX) records: whether the domain is set up to receive email. |
| SPF record | An SPF DNS record listing who may send email for the domain — a basic anti-spoofing control. |
| DMARC record | A DMARC DNS record telling receivers what to do with email that fails authentication — a stronger anti-spoofing control. |
| CAA records | A CAA DNS record that restricts which certificate authorities may issue TLS certificates for the domain. |
Reported alongside the score
| Term | What it means |
|---|---|
| Registration | Whether the name is available, registered, an active site, parked, or for sale — detected from DNS, registry records, and the live web. Reported beside the score, never folded into it. |
| Site status | What a visitor actually lands on: an active site, a parking page, a for-sale listing, a redirect to another domain, or nothing reachable. A dead site can cap a trust score. |
Verification & proof
| Term | What it means |
|---|---|
| Signed proof | A machine-readable record of the score, cryptographically signed the moment it was issued, so anyone can confirm it is genuine and unaltered. |
| Blockchain record | For verified owners, a permanent public entry on the Base blockchain that anyone can check — an independent, tamper-proof copy of the score. |
| Verified owner | A badge shown when the domain’s owner has proven control of it, which unlocks publishing a public, shareable scorecard. |