ISSUE №02 — SITE HEALTH·2026-05-14·SCANNING 12,481 SITES

Operational visibility
for live commerce sites.

Continuously check your storefront for leaked API keys, missing security headers, expiring TLS certs, silent SEO regressions, and uptime drops — without an agent, without a migration, without changing how your site is hosted.

Start free See pricing

Honest framing — Site Health flags what any visitor to your site can already observe. It is informational and is not a substitute for a full security audit or pentest.

SEC_EXPOSED_SECRET_STRIPE_LIVESEC_HEADER_MISSING_CSPSEC_TLS_CERT_EXPIRINGSEC_MIXED_CONTENTSEC_SCRIPT_MISSING_SRISEO_NOINDEX_ON_HOMEPAGESEC_COOKIE_NO_HTTPONLYSEO_ROBOTS_DISALLOW_ALLSEC_TLS_WEAK_PROTOCOLSEC_HEADER_WEAK_CSPSEC_CORS_WILDCARD_WITH_CREDENTIALSSEO_MISSING_TITLESEC_EXPOSED_SECRET_STRIPE_LIVESEC_HEADER_MISSING_CSPSEC_TLS_CERT_EXPIRINGSEC_MIXED_CONTENTSEC_SCRIPT_MISSING_SRISEO_NOINDEX_ON_HOMEPAGESEC_COOKIE_NO_HTTPONLYSEO_ROBOTS_DISALLOW_ALLSEC_TLS_WEAK_PROTOCOLSEC_HEADER_WEAK_CSPSEC_CORS_WILDCARD_WITH_CREDENTIALSSEO_MISSING_TITLE

§01What we actually check

Six capabilities, each mapped to specific open scanner rules. No vapor.

Exposed secrets

High-precision detectors for vendor key shapes leaked into your bundle.

·Stripe live + test secrets
·AWS access keys (AKIA / ASIA)
·OpenAI keys (sk-…)
·Google, Slack, GitHub PATs
·PEM-encoded private keys

ii.

Security headers

Seven checks plus CSP-weakness analysis.

·Missing CSP / HSTS / X-Frame
·Weak CSP (unsafe-inline, wildcards)
·One-click baseline injection
·CSP report-uri tokens

iii.

TLS posture

Live TLS probe on the verified domain, not just header sniffing.

·Certificate expired
·Expiring within 14 days
·TLS 1.0 / 1.1 negotiated
·Untrusted chain / self-signed

iv.

SEO regressions

Catch the silent rank-killers your team only notices after the fact.

·robots.txt: Disallow: /
·noindex on indexable pages
·Missing canonical / title / OG
·Sitemap missing

Cookies, CORS, mixed

Boring but production-breaking misconfigurations.

·Session cookie missing HttpOnly
·ACAO: * with credentials
·HTTP subresources on HTTPS
·Cookie missing Secure

vi.

Uptime + scripts

Synthetic probes every 5 minutes; complete script inventory.

·HEAD probe → uptime ratio
·Vendor attribution
·SRI missing per host
·Magecart kill-switch

§02How it works

A four-act installation.

step / 01

Connect

Point Trama at your storefront URL. Same connection model as the commerce bridge.

step / 02

Verify ownership

DNS TXT or .well-known file. We refuse to scan domains you can't prove you own.

step / 03

Scan + alert

Scheduled cadence by plan; findings hit the dashboard and outbound webhooks for criticals.

step / 04

Fix it

For proxy-routed sites: inject headers, strip flagged scripts, issue a CSP report-uri.

§03What we deliberately do NOT do

Restraint is part of the design.

✗No active exploitation
We don't run OWASP ZAP / Nuclei in scanning mode against your site. Findings are based on observable HTML, response headers, TLS handshake, and public files.
✗No raw secret storage
When we detect a leaked key we store its SHA-256 hash plus a 10-char prefix — enough to tell you which vendor key leaked, never enough to reconstruct it.
✗No scanning of unverified domains
Domain verification is a hard gate at the service layer — not just a UI affordance.
✗No promises of "complete security"
Site Health is operational visibility, not compliance. It doesn't replace a pentest, SOC 2, or your security team.

§04Pricing

Included on every plan.
Only the cadence differs.

Plan	Manual scans / mo	Scheduled	Uptime
Free	1	weekly	every 5 min
Starter	10	every 3 days	every 5 min
Pro	60	daily	every 5 min
Agency	300	daily	every 5 min
Enterprise	unlimited	daily	every 5 min

Full pricing

§05Frequently asked

The questions we get every week.

Is this a security audit or a pentest?

No. Site Health flags common operational risks that any visitor to your site can already observe: leaked keys in JS bundles, missing security headers, expiring TLS certificates, indexable noindex pages, and uptime drops. It is informational and is not a substitute for a full security audit or penetration test.

How do you prove domain ownership before scanning?

You add a DNS TXT record at _trama-verify.<your-domain> with the token we issue, or place a small file at /.well-known/trama-verify.txt. We verify it before any scan runs.

Will Trama store secrets it finds in my code?

No. We only store a SHA-256 hash of the matched string plus the first few characters of the prefix. The raw secret never touches our database or logs.

Can I auto-fix issues without changing my code?

Some, when traffic routes through the Trama proxy: missing security headers can be injected one-click, flagged third-party scripts can be stripped on the way out, and a CSP report-uri token can be issued for free.

How often does it scan?

Scheduled scans piggyback on the continuous audit: free = weekly, starter = every 3 days, pro/agency/enterprise = daily. Manual scans are always available. Uptime probes run every 5 minutes.

✦

§06Start the audit

Find what your customers
can already see.

Connect a project in sixty seconds. Free tier includes one manual scan a month plus uptime probes every five minutes.