Web Security · June 4, 2026

Public credibility starts with technical trust signals

A public website is not only read by people. It is fetched by search engines, AI crawlers, security researchers, procurement teams, and tools that decide whether a company is easy to verify.

That makes the technical surface part of the brand. If the site is blocked by a loading screen, missing canonical URLs, hiding behind `noindex`, or has no responsible-disclosure route, outside reviewers have less evidence to work with.

The baseline we care about

• The page fetches without client-side JavaScript being required for core content.
• Production pages are indexable and declare stable canonical URLs.
• `robots.txt` and `sitemap.xml` help crawlers discover the site intentionally.
• `.well-known/security.txt` points researchers to `[email protected]`.
• Security headers show the public site is operated deliberately.

What we released

web-security-baseline-audit turns those checks into a small CLI. It returns Markdown for human review and JSON for automation.

npm run audit -- https://mirogate.com

This does not replace deeper application security work. It makes the public trust layer visible before a deeper review starts.