Website health briefing — northwind.app
Generated June 24, 2026 at 11:30 AM PDT · https://northwind.app/
We reviewed your public website the way a normal visitor sees it — no logins, no private areas, and nothing was changed.
What this is
Northwind is a writing and grammar assistant delivered as a browser extension and a Google Docs add-on. It checks and rewrites text for grammar, tone, and clarity, and is free during a public beta.
Our view
This is a well-built, professional product in good shape — it loads exceptionally fast, looks polished and distinctive, and is easy for anyone to use. There is one emergency to handle today: a private key was left in the code your page hands every visitor, and it should be revoked right away. After that, the most valuable fixes are protecting your business email from impersonation, making your content visible to search engines and AI assistants, and adding outside proof that people trust you. None of these are hard, and clearing them moves you from a failing grade to a strong one. There are also a handful of minor housekeeping notes worth a quick pass when it's convenient.
What's working well
- Your site is genuinely fast — it appears almost instantly on computers and phones.
- The design is polished and distinctive, with a clean editorial look that signals quality.
- The site is easy for everyone to use, including people who rely on assistive tools.
- Your core web security is sound — visitor traffic is encrypted and the connection is locked down.
- The marketing copy is clear and persuasive, with concrete examples of who it's for.
- The technology behind the site is lean — only the outside services you actually need, with no tracker clutter.
What we checked
Of the checks we ran, 32 came back clean.
Here's what's holding up well, area by area:
⚠️ Being found — 10 of 14 passed clean
- ✓ Page has a title — no issues found
- ✓ Search-result description present — no issues found
- ✓ Marks the main version of a page — no issues found
- ✓ Structured data for search — no issues found
- …and 6 more checks passed clean
- ⚠️ Has a main heading — needs attention (see "What deserves your attention")
- ⚠️ Content readable without JavaScript — needs attention (see "What deserves your attention")
- ◽ Other-language versions are linked — we couldn't confirm this run
- ◽ AI guidance file — we couldn't confirm this run
✓ Speed & experience — 6 of 6 passed clean
- ✓ Page declares its language — no issues found
- ✓ Works well on phones — no issues found
- ✓ Clear heading structure — no issues found
- ✓ Links and buttons have descriptive labels — no issues found
- …and 2 more checks passed clean
⚠️ Trust & safety — 14 of 19 passed clean
- ✓ Secure connection — no issues found
- ✓ Modern encryption — no issues found
- ✓ Certificate not expiring soon — no issues found
- ✓ Cookies set securely — no issues found
- …and 10 more checks passed clean
- ⚠️ Limits which code can run on your pages — needs attention (see "What deserves your attention")
- ⚠️ Doesn't reveal its hosting/tech — needs attention (see "What deserves your attention")
- ⚠️ Email anti-spoofing — needs attention (see "What deserves your attention")
- ⚠️ Email signing — needs attention (see "What deserves your attention")
- ⚠️ Email anti-fraud policy — needs attention (see "What deserves your attention")
⚠️ Growth & operations — 2 of 5 passed clean
- ✓ Privacy policy present — no issues found
- ✓ Behind a content-delivery and filtering service — no issues found
- ⚠️ Cookie-consent banner — needs attention (see "What deserves your attention")
- ◽ Health-check endpoint (a web address other tools can reach) — we couldn't confirm this run
- ◽ Rate limiting in place — we couldn't confirm this run
How to read this
We grade each area from A to F, and a straight-A result IS the goal — an A means an area is in genuinely good shape. Below, for every area scoring under an A, we show exactly what's holding the grade down and why it matters to your business, so you know precisely what to fix to get there.
Some lower grades, though, are the RIGHT call for where you are right now: a deliberate business decision, something sensibly deferred until you actually need it, or a path that never runs in front of customers. Those are trade-offs, not flaws — and where a B or C is a reasonable trade-off for your stage rather than a real gap, we say so explicitly next to the item. Work the serious items first, and keep the trade-offs you've made on purpose.
Since your last run
This is your first tracked run — future runs will show your progress here, so you can see what improved and what's new at a glance.
At a glance
Here's every area we reviewed, ordered by how much it affects your business — most impactful first. Each line is what the area covers and how it's doing. The "things to address" counts here are the issues we found; the full detail for each one is in "What deserves your attention" below, and "Everything we checked" lists every individual check behind these areas.
- Turning visitors into customers — grade C. Whether the people who visit your site actually sign up, buy, or get in touch. a few things to tighten — 2 things to address. Top concern: Nothing on the page proves other people trust you.
- Being found — grade B. Whether new customers can discover you through Google and other search engines. needs attention ⚠️ — 3 things to address. Top concern: Search engines and AI assistants can't see your page's words or links.
- Speed & experience — grade C. Whether your site loads quickly and is easy and pleasant to use on any device. a few things to tighten — 3 things to address. Top concern: Your before/after demo relies on color alone.
- Trust & safety — grade F. Whether your customers' data and payments are protected and the site is safe to use. needs attention ⚠️ — 4 things to address. Top concern: A private key is exposed in your page's public code.
- Growth & operations — grade D. Whether you have the tools to see what's working and run the business smoothly. needs attention ⚠️ — 4 things to address. Top concern: Your automatic account emails may not reach customers.
The biggest risks
Where separate problems combine into something more serious than any one alone:
- A private key is exposed in your public code AND your email can be impersonated — together that gives an attacker both a working credential and a believable way to phish your customers with it.
- Search engines and AI assistants both can't read your page AND there's no outside proof of trust — so new visitors are hard to reach and, once they arrive, have little reason to believe you.
- Account emails may not arrive AND there's no alert when the service is down — so a quiet failure can frustrate new customers for hours before you hear about it.
How this audit was done
This is an automated audit of your website, on 2026-06-24, — it examines your website and reasons over it the way an experienced reviewer would. It's a first pass, not a human sign-off: treat the most serious items as a prompt to look closer rather than a guarantee, and see "What we couldn't fully check" at the end for where the audit was limited.
lens runs 86 checks for your website; on this run we examined 84 of them across 5 areas — covering security, reliability, cost, and growth. Some were turned off for this run (see "What we couldn't fully check" below); "Everything we checked" lists each one, grouped by area.
What deserves your attention
These are ordered by how serious they are. Start at the top.
Major concerns
Being found
1. Search engines and AI assistants can't see your page's words or links
Your page is assembled inside each visitor's browser, so search engines and AI assistants often see an almost-empty page — and the wording and links that should bring you new customers are invisible to them.
2. AI assistants can't see what makes you different
When someone asks an AI assistant for a recommendation, it reads your plain page — which is nearly empty — so your real selling points are invisible and you get described generically, if at all.
Trust & safety
1. A private key is exposed in your page's public code
A secret meant to stay on your servers was bundled into the code every visitor downloads, so anyone can copy it and run up charges or reach data it unlocks. This is the single most urgent thing to fix.
2. Anyone can send email pretending to be your business
Your domain has none of the standard protections that prove an email really came from you, which invites scams aimed at your customers and pushes your own sign-up and billing emails into spam.
Growth & operations
1. Your automatic account emails may not reach customers
Sign-up and password-reset emails are sent automatically from your domain, but because it has no email-authentication protection they're easily faked and often land in spam — turning a new customer's first step into a support ticket.
Should fix
Turning visitors into customers
1. Nothing on the page proves other people trust you
You ask first-time visitors to install a tool that reads what they type, but show no reviews, ratings, install counts, or familiar names — so more visitors hesitate and leave right when they're deciding to sign up.
Speed & experience
1. Your before/after demo relies on color alone
The correction examples that prove your tool works mark 'before' and 'after' with red and green only, so color-blind visitors and anyone in bright sunlight can't tell which side is the fix — turning your best proof into confusion.
Trust & safety
1. Visitor tracking starts before asking permission
Tracking begins the moment the page opens, with no consent prompt — which can break privacy law for the European and UK visitors a tool like this attracts.
Growth & operations
1. Your analytics runs without asking permission
Your visitor analytics starts tracking the moment the page loads, which needs consent first for European and UK visitors — and without it your own measurement will degrade as the rules tighten.
2. Nothing alerts you automatically when the service goes down
The core writing feature has no health check or status page, so you learn about outages from a wave of 'is it broken?' emails instead of an automatic alert — meaning slower fixes and more support load.
3. Billing for paid plans isn't set up to run itself
Your pricing promises beta users a discount at launch, but granting discounts, chasing failed payments, and handling cancellations by hand would make launch day a recurring manual chore instead of a one-time setup.
Minor
Turning visitors into customers
1. Your pricing promises a discount but not from what
Telling beta users they'll get 'a discount' with no reference price means they can't tell what they're locking in now, which softens the urgency to sign up.
Being found
1. Your search-result description gets cut off
The summary shown under your title in search results is too long, so the end of your pitch never reaches the people deciding whether to click.
Speed & experience
1. On phones, the page works in the background a while after it appears
The page looks ready quickly, but on slower phones it keeps doing work behind the scenes afterward, which can feel a little sluggish to tap. Worth watching as you grow.
2. Some of your lightest gray text may be hard to read
Low-contrast text is the most common readability complaint and especially affects older visitors and people on phones outdoors — a meaningful part of a broad audience.
Trust & safety
1. A page-protection rule is set the weaker way
You have a strong rule limiting which code can run on your pages, but it's delivered in the form browsers only partly enforce and that can't report abuse.
Everything we checked
Even where everything's fine, here's what we looked at — so you can see the review was thorough, not just a list of problems. Each area shows the individual checks we ran and the specific things the reviewer weighed.
Turning visitors into customers — 3 of 5 checks OK
Whether the people who visit your site actually sign up, buy, or get in touch.
We confirmed 3 of 5 individual checks here; 1 check needs attention; 1 check we couldn't confirm this run.
- ⚠️ Clear, persuasive content
Whether your wording quickly explains what you offer and convinces visitors it's worth their time. This one isn't in place yet — a worthwhile improvement to make when you can. - ◽ Conversion basics (sign-up path, trust signals)
Whether the path from landing on your site to signing up is clear and convincing. We couldn't confirm this on this run.
We also weighed these, and they're in good shape unless flagged in the findings above:
- What you offer is clear the moment the page loads, before any scrolling
- The buttons telling visitors what to do next are clear and persuasive
- The wording reads well and includes signals that build visitor trust
Being found — 21 of 25 checks OK
Whether new customers can discover you through Google and other search engines.
We confirmed 21 of 25 individual checks here; 2 checks need attention; 2 checks we couldn't confirm this run.
- ⚠️ Has a main heading
A clear top headline tells visitors and Google what the page is about at a glance. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Content readable without JavaScript
Whether your words are visible to AI crawlers, which usually don't run JavaScript the way a web browser does. Found on your website — review and address (most of your text only appears after JavaScript runs, so AI crawlers may not see it). - ✅ Page has a title
The headline shown in search results and browser tabs; it's the first thing people see when deciding whether to click. It's correctly set up — no changes needed. - ✅ Search-result description present
The short summary under your title in search results; a good one persuades more people to click through to you. It's correctly set up — no changes needed. - ✅ Marks the main version of a page
Tells search engines which version of a page is the main one, so your ranking isn't split across duplicates. It's correctly set up — no changes needed. - ✅ Structured data for search
Extra labels that help Google show rich results like star ratings or prices, making your listing stand out. It's correctly set up — no changes needed. - ✅ Social link previews
Controls the title, image, and text shown when your link is shared on social media, so it looks appealing. It's correctly set up — no changes needed. - ✅ Twitter/X link preview
Controls how your link looks when shared on Twitter/X, so it shows a proper preview instead of a bare address. It's correctly set up — no changes needed. - ✅ Images have text descriptions
Short text descriptions of images so search engines and visitors using screen readers understand what each picture shows. It's correctly set up — no changes needed. - ✅ Search-crawler rules present
A robots.txt file and page-level rules tell search engines which pages they may show, so important pages aren't accidentally hidden from search. It's correctly set up — no changes needed. - ✅ AI assistants allowed to read your site
Whether the rules in your site's crawler file let AI answer engines read your pages so they can recommend you to people who ask. It's correctly set up — no changes needed. - ✅ Structured data AI answers can use
Machine-readable labels about your product, business, and FAQs that AI answer engines rely on to quote you accurately. It's correctly set up — no changes needed. - ◽ Other-language versions are linked
Tells search engines about other-language versions of a page, so visitors are shown the right one for them. We couldn't confirm this on this run. - ◽ AI guidance file
A simple text file that points AI assistants like ChatGPT and Perplexity straight to your most important content. This optional file isn't published yet — an emerging, nice-to-have standard as AI search grows.
We also weighed these, and they're in good shape unless flagged in the findings above:
- Each page has its own title and description for search results
- Search engines are told clearly which version of each page to index and where to find them all
- Headings are well-structured and images have meaningful descriptions
- Your content can be read by search and AI crawlers, not hidden behind code they can't run
- Pages include the machine-readable details that search and AI engines use to understand them
- How you treat AI crawlers is a deliberate choice, not an accidental block
- Any AI in the product is presented honestly, around the benefit to the customer
- Internal AI-generation details don't show up on your public pages
- The main competitors and alternatives have been identified
- There's a clear read on what sets you apart and how you're positioned
- Every claim in the research is backed by a source
Speed & experience — 16 of 16 checks OK
Whether your site loads quickly and is easy and pleasant to use on any device.
- ✅ Page declares its language
Tells browsers and screen readers what language your page is written in, so it's read aloud and offered for translation correctly. It's correctly set up — no changes needed. - ✅ Works well on phones
A small setting that tells phones to fit the page to the screen and allow pinch-to-zoom, so visitors on mobile aren't stuck scrolling sideways. It's correctly set up — no changes needed. - ✅ Clear heading structure
Well-organised headings let visitors — and people using screen readers — scan your page and jump straight to the part they need. It's correctly set up — no changes needed. - ✅ Links and buttons have descriptive labels
Links and buttons need words a screen reader can announce; an icon-only one with no label leaves those visitors with no idea what it does. It's correctly set up — no changes needed. - ✅ Page loading speed
We measured this on a phone: your homepage's main content appears in 0.5s (desktop 0.4s). Google ranks on the mobile experience and treats under 2.5s as 'good' and over 4.0s as 'slow' — most visitors are on phones, so mobile speed is what counts most. That's in the 'good' range on mobile — no changes needed. - ✅ Visual design and mobile layout
Whether your site looks professional and works well on phones, where most visitors first meet your brand. It's correctly set up — no changes needed.
We also weighed these, and they're in good shape unless flagged in the findings above:
- Your main pages show their content quickly
- Pages don't jump around as they load and respond promptly to taps and clicks
- No heavy files are holding up how fast the page appears
- Images describe themselves for screen readers and the page states its language
- Forms, links, and buttons are clearly labeled so everyone can use them
- Page headings follow a clean, logical outline
- The site is set up to display properly on phones
- The page is laid out cleanly so visitors' eyes go to the right things
- Text is easy to read and colors are easy on the eyes for everyone
- Nothing looks broken or runs off the screen on a phone
Trust & safety — 21 of 26 checks OK
Whether your customers' data and payments are protected and the site is safe to use.
We confirmed 21 of 26 individual checks here; 5 checks need attention.
- ⚠️ Limits which code can run on your pages
An extra layer of protection that limits which code is allowed to run on your pages, so a stray or tampered script has far less room to cause harm. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Doesn't reveal its hosting/tech
Checks your site isn't broadcasting the software and hosting it runs on, which gives attackers a head start. Found on your website — review and address (reveals [REDACTED:server-banner]). - ⚠️ Email anti-spoofing
Lets mail servers verify that emails claiming to be from your domain are really yours, so scammers can't impersonate you. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Email signing
Adds a tamper-proof signature to your emails so recipients can trust they genuinely came from you and weren't altered. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Email anti-fraud policy
Tells other mail servers what to do with fake emails pretending to be from you, stopping scammers using your name. This one isn't in place yet — a worthwhile improvement to make when you can. - ✅ Secure connection
Encrypts the connection between visitors and your site so no one can snoop on or tamper with what's sent. It's correctly set up — no changes needed. - ✅ Modern encryption
The latest, fastest version of that encryption, giving visitors stronger protection and quicker secure connections. It's correctly set up — no changes needed. - ✅ Certificate not expiring soon
The security certificate behind the padlock; if it lapses, browsers warn visitors away with a scary error. It's correctly set up — no changes needed. - ✅ Cookies set securely
Makes sure the small files your site stores on visitors' devices can't be read or stolen over an insecure connection. It's correctly set up — no changes needed. - ✅ No insecure content on a secure page
Checks that every part of a secure page also loads securely, so nothing on it can be tampered with in transit. It's correctly set up — no changes needed. - ✅ Forces secure connections
Tells browsers to always use the secure version of your site, so visitors can't be downgraded to an insecure connection. It's correctly set up — no changes needed. - ✅ Blocks clickjacking
Stops other sites from secretly embedding yours to trick visitors into clicking things they didn't mean to. It's correctly set up — no changes needed. - ✅ Stops browsers from guessing file types
Stops browsers from guessing file types, which can otherwise be tricked into running a harmful file as code. It's correctly set up — no changes needed. - ✅ Limits what's shared with sites you link to
Controls how much about your pages is shared with other sites visitors click through to, protecting their privacy. It's correctly set up — no changes needed. - ✅ Limits which device features pages can use
Limits which device features, like camera or location, your pages can use, reducing what a hijacked page could abuse. It's correctly set up — no changes needed. - ✅ No subdomain-takeover risk
Checks you have no abandoned subdomains an attacker could claim and use to impersonate your brand. It's correctly set up — no changes needed. - ✅ No known vulnerable libraries
Checks the third-party code your site relies on has no publicly known security holes that attackers actively exploit. It's correctly set up — no changes needed. - ✅ Visitor data sent privately
Makes sure personal details visitors enter are sent over a secure connection, never in plain text others could read. It's correctly set up — no changes needed. - ✅ No behind-the-scenes AI details leak publicly
Checks that the behind-the-scenes details of any AI used to build your pages — things like prompts, model names, or cost notes — aren't left visible in your page's code for anyone to read. It's correctly set up — no changes needed.
We also weighed these, and they're in good shape unless flagged in the findings above:
- The site sends the right safety settings to visitors' browsers
- Cookies are set securely and every part of the page loads over a safe connection
- The site doesn't leak internal version or error details that help an attacker
- No private keys are exposed in the code that runs in visitors' browsers
- Your email is set up so messages from your domain can't be easily faked
- Inline scripts are allowed by a nonce or hash, not 'unsafe-inline', and aren't blocked by the page's own CSP
- No React hydration mismatch (server HTML matches the client's first render)
Growth & operations — 9 of 12 checks OK
Whether you have the tools to see what's working and run the business smoothly.
We confirmed 9 of 12 individual checks here; 1 check needs attention; 2 checks we couldn't confirm this run.
- ⚠️ Cookie-consent banner
Asks visitors' permission before using tracking cookies, which many privacy laws require you to do. This one isn't in place yet — a worthwhile improvement to make when you can. - ✅ Privacy policy present
A page explaining how you handle visitors' data; customers expect it and it's often legally required. It's correctly set up — no changes needed. - ✅ Behind a content-delivery and filtering service
A service that speeds up your site worldwide and filters out malicious traffic before it reaches you. It's correctly set up — no changes needed. - ◽ Health-check endpoint (a web address other tools can reach)
A simple status address monitoring tools can ping to confirm your site is up, so you hear about outages fast. We couldn't confirm this on this run. - ◽ Rate limiting in place
Caps how many requests one source can make, protecting your site from abuse and overload. We couldn't confirm this on this run.
We also weighed these, and they're in good shape unless flagged in the findings above:
- You're measuring visitor behavior on the pages that matter
- Visitor consent is handled where the law requires it
- Outside scripts on the page are limited to the ones you actually need
- The workflow diagrams are based on the tools actually detected on your site
- Each suggested automation names a specific tool and the manual step it would save
- Anything the review inferred is labeled by how confident it is and limited to what's publicly visible
- The links your own pages point to actually work — no dead 'page not found' links
What to do next
In priority order — start at the top and work down.
- Revoke and replace the exposed key today, then move it somewhere it never ships to visitors' browsers.
- Protect your business email so messages can't be faked and your own account emails reach customers.
- Make your content visible to search engines and AI assistants by delivering it in the page's source.
- Add proof that people trust you — reviews, ratings, install counts, or familiar names — near the sign-up button.
- Ask permission before tracking, and get ready to run smoothly as you grow: alerts, a status page, and self-serve billing — plus a quick pass over the minor housekeeping notes.
What we couldn't fully check
Every review has limits — this was an automated check, not an exhaustive one. Here's what this run could NOT fully assess, and exactly why; re-running covers these:
- Market & Competitive Research — this area was turned off for this run — re-running with it on covers it
- Business Growth — this area was turned off for this run — re-running with it on covers it
Technical Audit — northwind.app
Generated June 24, 2026 at 11:30 AM PDT · seed https://northwind.app/ · secrets redacted
Methodology & scope
Passive, unauthenticated review of the public website at https://northwind.app/ — seen the way a normal visitor's browser sees it. No logins, no private areas, and nothing was changed. This is an anonymized sample on fictional data.
Residual: Screenshots are not text-redacted. Secret-shaped strings are stripped from captured text (headers, HTML, scanner output) before analysis, but page screenshots are sent to the vision model as raw pixels. A secret rendered visibly on a page — for example an API key shown in an admin panel — is not removed and reaches the model. Treat captured screenshots as sensitive.
How to read this
This is a home inspection, not a report card. We surface everything we find and rank it by seriousness — but not every item is a must-fix, and clearing every flag is not the goal. Some findings (and the B/C grades that reflect them) are reasonable trade-offs for your stage: a deliberate business decision, something sensibly deferred until you need it, or a path that doesn't run in production. Chasing an A in every area — or zero findings — usually means over-engineering, or papering over a real choice. Work the serious items first; accept the trade-offs that fit where you are. A healthy result is no unaddressed serious issues — not straight A's.
Coverage summary
46 checks across 5 areas: 32 passed, 9 flagged, 5 not determined.
| Area | Passed | Flagged | Not determined |
|---|---|---|---|
| Turning visitors into customers | 0 | 1 | 1 |
| Being found | 10 | 2 | 2 |
| Speed & experience | 6 | 0 | 0 |
| Trust & safety | 14 | 5 | 0 |
| Growth & operations | 2 | 1 | 2 |
Verified clean
These checks ran and found no issues:
- Being found — Page has a title
- Being found — Meta description present
- Being found — Canonical URL set
- Being found — Structured data for search (Schema.org)
- Being found — +6 more verified clean
- Speed & experience — Page declares its language
- Speed & experience — Works well on phones (mobile viewport)
- Speed & experience — Clear heading structure
- Speed & experience — Links and buttons have descriptive labels
- Speed & experience — +2 more verified clean
- Trust & safety — Secure connection (HTTPS)
- Trust & safety — Modern encryption (TLS 1.3)
- Trust & safety — Certificate not expiring soon
- Trust & safety — Cookies set securely
- Trust & safety — +10 more verified clean
- Growth & operations — Privacy policy present
- Growth & operations — Behind a content-delivery and filtering service
Findings
SEO
Your page's words and links are only built after it loads in a browser
- Severity: high
- Confidence: high
- Business impact: New customers find you mainly through search. Because your page is assembled inside each visitor's browser, search engines often see an almost-empty page — so the wording that should rank for what you do, and the links to your other pages, are invisible to them.
- Detail: The served HTML body is an empty app shell; the headings, copy, and the internal link graph are injected by the page's script after load. A review of the raw page found no main heading, no body copy, and no in-page links — they appear only once the script has run.
- Fix: Deliver the home and main marketing pages with their text and links already in the page's source (pre-render or server-render them), so search engines and link-discovery tools see real content immediately.
- Evidence:
- https://northwind.app/ —
served page source
- https://northwind.app/ —
Your search-result description is longer than search engines will show
- Severity: low
- Confidence: high
- Business impact: The summary under your title in search results gets cut off, so the trailing part of your pitch never reaches the people deciding whether to click.
- Detail: The page's description is 167 characters; results typically show only the first ~155-160, truncating the closing call to action.
- Fix: Tighten the description to about 150 characters so it shows in full.
- Evidence:
- https://northwind.app/ —
page description
- https://northwind.app/ —
AI Readiness & Trust
AI answer assistants see a blank page where your selling points should be
- Severity: high
- Confidence: high
- Business impact: More and more people ask an AI assistant for a recommendation instead of searching. Those assistants read the plain page and don't run your page's code, so they can't see what makes you different — and describe you only generically, if at all.
- Detail: The plain page contains none of the visible product copy (it measured zero readable words before the page's code runs, versus ~700 after); the value proposition, use cases, and pricing all exist only after load.
- Fix: Deliver the marketing copy in the page's source so assistants that don't run page code can still read your value proposition, use cases, and pricing.
- Evidence:
- https://northwind.app/ —
plain page content
- https://northwind.app/ —
Your business description is already machine-readable — a real strength
- Severity: info
- Confidence: high
- Business impact: Even though the page body is hidden from AI crawlers, you do publish a clean, structured description of your business and product up front, so assistants can still identify you accurately. This is the main thing keeping you discoverable today.
- Detail: A well-formed structured-data block describes the organization and the product (category, platform, and a free-during-beta offer) and is readable without running any page code.
- Fix: Keep this in the page source, and add a frequently-asked-questions block so assistants have ready-made answers to quote.
- Evidence:
- https://northwind.app/ —
structured data block
- https://northwind.app/ —
Performance
Your site loads fast, with room to spare
- Severity: info
- Confidence: high
- Business impact: Fast pages keep visitors engaged and help your search ranking. Yours load well inside the thresholds that matter, so speed is working for you, not against you.
- Detail: On the home page the main content appears in about 0.4s on desktop and 0.5s on mobile — roughly five times faster than the 'good' threshold — with negligible layout shift, served from a content-delivery network.
- Fix: No action needed. Keep the lean build as you add pages.
- Evidence:
- https://northwind.app/ —
home page load timings
- https://northwind.app/ —
On phones, the page keeps working in the background longer after it appears
- Severity: low
- Confidence: high
- Business impact: The page looks ready quickly, but on slower phones it keeps doing work behind the scenes for a while after — the part of the experience that can feel sluggish to tap. Worth watching as the app grows.
- Detail: Total mobile load is several times the desktop figure, driven by running the page's script and a third-party measurement tag on a slower phone processor, well after the main content has painted.
- Fix: Split the page's code so less runs up front, and load the measurement tag after the page is interactive.
- Evidence:
- https://northwind.app/ —
mobile load timings
- https://northwind.app/ —
Accessibility
Your before/after demo tells people apart using color only
- Severity: medium
- Confidence: high
- Business impact: The correction examples are the heart of your pitch — they show the tool fixing real text. They mark the 'before' and 'after' with red and green only, so roughly one in twelve men (who have red-green color blindness), plus anyone on a phone in bright sun, can't tell which side is the fix — turning your strongest proof into confusion.
- Detail: The before/after pairs are distinguished by text color alone, with no second cue such as a strike-through, an arrow, or a label a screen reader can announce.
- Fix: Add a non-color cue to each pair — strike through the original, mark the fix with an arrow or checkmark, and add a label assistive tools can read.
- Evidence:
- https://northwind.app/ —
before/after correction examples
- https://northwind.app/ —
Some of your lightest gray text may be hard to read
- Severity: low
- Confidence: low
- Business impact: Hard-to-read low-contrast text is the most common accessibility complaint, and it disproportionately affects older visitors and anyone on a phone outdoors — a meaningful slice of a broad consumer audience.
- Detail: Contrast couldn't be measured automatically this run. The muted off-white palette uses several light-gray secondary labels that are the pairing most likely to fall under the readability threshold.
- Fix: Check the light-gray-on-off-white text with a contrast checker and darken any that fall short.
- Evidence:
- https://northwind.app/ —
muted secondary labels
- https://northwind.app/ —
The accessibility basics are strong across the board
- Severity: info
- Confidence: high
- Business impact: The things that most often shut out screen-reader and keyboard users are all handled, so the page is broadly usable today and not exposed to the common accessibility-complaint patterns.
- Detail: Every image carries descriptive text, every interactive control is labelled (including icon-only ones), the page declares its language, the heading order is clean with a single top heading, and a 'skip to content' link is the first focusable element.
- Fix: No action needed — keep these as the page grows.
- Evidence:
- https://northwind.app/ —
rendered page
- https://northwind.app/ —
Security
A private access key is sitting in your page's public code
- Severity: critical
- Confidence: high
- CWE: CWE-798
- Business impact: A secret key that's meant to stay on your servers was bundled into the code every visitor's browser downloads, so anyone can copy it. Whoever does can run up charges on your account or reach data it unlocks. This is the single most urgent thing to fix — today.
- Detail: A secret-shaped credential was found embedded in the page's published script bundle, which is served publicly to every visitor. The value has been redacted from this report.
- Fix: Treat the key as compromised: revoke and rotate it immediately, then move it to a server-side setting that never ships to the browser.
- Cost impact: $40,000
- Evidence:
- https://northwind.app/static/js/app.js —
published script bundle
- https://northwind.app/static/js/app.js —
Anyone can send email pretending to be your business
- Severity: high
- Confidence: high
- CWE: CWE-290
- Business impact: Your domain publishes none of the three standard protections that prove an email really came from you. For a paid product that emails sign-up and billing notices, that invites convincing scams aimed at your customers and pushes your own real emails into spam. It's the highest-value, lowest-effort fix here.
- Detail: None of the three email-authentication records (sender policy, message signing, and the handling rule for fakes) are published for the domain, so receiving mail servers can't verify any message claiming to be from you.
- Fix: Publish all three email-authentication records and turn on message signing at your email provider, starting in a monitor-only mode and tightening to reject.
- Evidence:
- northwind.app —
domain email records
- northwind.app —
Visitor tracking starts before anyone agrees to it
- Severity: medium
- Confidence: high
- Business impact: Your analytics begins watching visitors the moment the page opens, with no consent prompt. For the European and UK visitors a tool like this attracts, that can break privacy law and expose you to complaints and fines.
- Detail: Tracking scripts load on page open with no consent banner present; two tracking requests fire before any choice is offered.
- Fix: Add a consent prompt and hold all non-essential tracking until visitors agree, defaulting to off in regions that require it.
- Evidence:
- https://northwind.app/ —
page header
- https://northwind.app/ —
A page-protection rule is set the weaker of the two ways
- Severity: low
- Confidence: high
- CWE: CWE-693
- Business impact: You do have a strong rule limiting which code can run on your pages — a real plus — but it's delivered in the weaker form, which browsers only partly enforce and which can't report attempted abuse.
- Detail: The content-security rule is delivered inside the page markup rather than as a response header, so several of its directives are ignored and violations can't be collected.
- Fix: Serve the same rule as a response header at your content-delivery edge.
- Evidence:
- https://northwind.app/ —
response headers
- https://northwind.app/ —
Your pages quietly announce what they're hosted on
- Severity: info
- Confidence: high
- CWE: CWE-200
- Business impact: A response label names your hosting platform. There's no direct risk, but it gives someone probing for weaknesses a small head start.
- Detail: A response header discloses the hosting platform. No version numbers or error details are exposed beyond the platform name.
- Fix: Optionally strip the hosting label at your content-delivery edge.
- Evidence:
- https://northwind.app/ —
response headers
- https://northwind.app/ —
Content & Presentation
Nothing on the page shows that other people trust you
- Severity: medium
- Confidence: high
- Business impact: You're asking first-time visitors to install a tool that reads what they type, yet the page shows no reviews, ratings, install counts, or recognizable names. With nothing to vouch for you, more visitors hesitate and leave at the exact moment they're deciding whether to sign up.
- Detail: The visible page contains no testimonials, star ratings, install or user counts, press mentions, or trust logos — only first-party privacy reassurances.
- Fix: Add concrete proof near the sign-up button: a store rating and install count, two or three short attributed quotes, or a 'trusted by N writers' figure. Even a beta-signup count helps.
- Evidence:
- https://northwind.app/ —
landing page
- https://northwind.app/ —
Your pricing promises a discount but never says from what
- Severity: low
- Confidence: low
- Business impact: Saying beta users get 'a discount' with no reference price means visitors can't tell what they're locking in by signing up now, which softens the urgency the offer is meant to create.
- Detail: The pricing section lists a single free beta tier and promises a future discount, with no indicative future price or 'normally $X' anchor.
- Fix: Once paid pricing is decided, add an indicative anchor (for example 'will be $X/mo — beta users lock in Y% off') while keeping the honest framing.
- Evidence:
- https://northwind.app/#pricing —
pricing section
- https://northwind.app/#pricing —
Tech & Analytics
Your analytics runs without asking permission
- Severity: medium
- Confidence: high
- Business impact: Your visitor analytics starts setting tracking cookies the moment the page loads. For the European and UK visitors a writing tool attracts, that needs consent first — and without it your own measurement will also degrade as the rules tighten.
- Detail: The analytics tag loads on page open with no preceding consent step and no consent-management tool present; a privacy review confirmed tracking fires before any choice is offered.
- Fix: Default analytics to off until a visitor agrees, add a lightweight region-aware consent prompt, and turn tracking on only when they accept.
- Evidence:
- https://northwind.app/ —
page header
- https://northwind.app/ —
You use only the outside services you actually need
- Severity: info
- Confidence: high
- Business impact: Every external service on the page maps to a real job — sign-in, payments, and measurement — with no ad trackers, social pixels, or session-recording tools bolted on. That keeps both privacy risk and page weight low.
- Detail: The distinct third parties are a sign-in provider, a payments provider, a measurement tag, and your own service; no advertising, social, or session-replay trackers were detected, and no exposed keys were found among the loaded scripts.
- Fix: No action needed. Keep new vendors behind the same disciplined gate.
- Evidence:
- https://northwind.app/ —
loaded third-party scripts
- https://northwind.app/ —
Operations Map & Automation/AI
northwind.app runs on a lean managed stack, so the heavy lifting — sign-in, hosting, payments — is already automated. But three concrete gaps still create manual load: account emails that may not arrive, no automatic alarm when the writing service is down, and billing for paid plans that isn't set up to run itself.
Site map
graph TD
home["/"]
download["/download"]
pricing["/#pricing"]
faq["/faq"]
contact["/contact"]
home --> download
home --> pricing
home --> faq
home --> contact
Customer journey
graph LR
visit[Visit home] --> install[Install extension]
install --> signin[Sign in]
signin --> write[Use the writing tool]
write --> upgrade[Upgrade to paid]
Business process (inferred)
graph TD
signup[Sign-up] --> email[Automatic account email]
email --> active[Active user]
active --> support[Support inbox]
Automation & AI opportunities
Your automatic account emails may not reach customers
- Severity: high
- Confidence: high
- Business impact: Sign-up confirmations and password resets are sent automatically from your domain — but because the domain has no email-authentication protection, those messages are easily faked and routinely land in spam. Every one that goes missing becomes a support ticket at the worst possible moment: a new customer trying to get started.
- Detail: The sign-in service sends verification and reset email from the domain, which publishes no sender policy, message signing, or anti-fraud rule, so the messages can't be authenticated by receiving servers.
- Fix: Publish the three email-authentication records and route account email through an authenticated sender so messages are verified and retried automatically.
- Evidence:
- northwind.app —
domain email records
- northwind.app —
Nothing tells you automatically when the writing service is down
- Severity: medium
- Confidence: high
- Business impact: The core writing feature has no health check and no status page, so an outage is discovered the hard way — through a wave of 'is it broken?' emails — instead of an automatic alert. That means slower fixes and more support load during exactly the moments that hurt most.
- Detail: No health endpoint or public status page was detected for the writing service, and no automated uptime monitoring or on-call signal is visible from the public surface.
- Fix: Add a simple health check and automatic alerting that pages you on errors or latency, and stand up a public status page.
- Evidence:
- https://api.northwind.app/ —
writing service surface
- https://api.northwind.app/ —
Billing for paid plans isn't set up to run on its own yet
- Severity: medium
- Confidence: medium
- Business impact: Your pricing promises beta users a discount when paid plans launch, but granting those discounts, chasing failed payments, and handling cancellations by hand would turn launch day into a recurring manual chore instead of a one-time setup.
- Detail: Checkout is integrated, but no recurring-billing lifecycle (plans, discount codes, self-serve plan changes, failed-payment retries) is wired up ahead of the beta-to-paid switch.
- Fix: Model the plans in your payment provider's billing tools, issue a coupon for the beta discount, enable a self-serve customer portal, and turn on automatic retries for failed cards.
- Evidence:
- https://northwind.app/#pricing —
pricing section
- https://northwind.app/#pricing —
Operational signals
- TLS certificate: 120 days until expiry.
- HSTS: enabled.
- HTTPS redirect: HTTP is upgraded to HTTPS.
- Health/status endpoints: none detected.
- CDN/WAF: content-delivery-network.
- Rate limiting: no signals observed.
Questions for your team
- What uptime do you commit to, and how do you measure it?
- How often are backups taken, and when did you last test a restore?
- Who is on call, and what is the escalation path after hours?
- What is your plan when the writing service goes down?
Performance metrics
https://northwind.app/ (source: cdp)
| Metric | Value |
|---|---|
| cls | 0.0235 |
| fcp_ms | 216 |
| lcp_ms | 412 |
| load_ms | 268 |
| ttfb_ms | 122.9 |
https://northwind.app/ (mobile) (source: cdp)
| Metric | Value |
|---|---|
| cls | 0 |
| fcp_ms | 336 |
| lcp_ms | 512 |
| load_ms | 1330.5 |
| ttfb_ms | 124.6 |
Scanner appendix
Values shown as [REDACTED:…] were secret-shaped and removed before analysis.
seo
| Key | Value |
|---|---|
| canonical | https://northwind.app/ |
| h1_count | 0 |
| hreflang | [] |
| images | {'total': 0, 'with_alt': 0, 'missing_alt': 0, 'alt_coverage': 1.0} |
| json_ld | {'count': 1, 'types': []} |
| meta_description | {'text': 'Write with confidence — grammar correction, tone adjustments, and clear rewriting. Available as a browser extension and Google Docs add-on.', 'length': 167} |
| open_graph | {'og:title': 'Northwind — Grammar & Writing Assistant', 'og:image': 'https://northwind.app/og-image.png'} |
| site_files | {'robots_txt_present': True, 'sitemap_present': True, 'sitemap_urls': ['https://northwind.app/sitemap.xml']} |
| title | {'text': 'Northwind — Grammar & Writing Assistant for Chrome & Google Docs', 'length': 56} |
| {'twitter:card': 'summary_large_image'} |
ai_readiness
| Key | Value |
|---|---|
| ai_crawlers | {'robots_present': True, 'blanket_disallow_all': False, 'blocked': [], 'allowed': ['answer-engines']} |
| ai_metadata_leak | {'present': False, 'markers': []} |
| available | true |
| content_extractability | {'raw_text_words': 0, 'rendered_text_words': 699, 'ratio': 0.0, 'js_dependent': True, 'threshold': 0.3} |
| llms_txt | {'present': False, 'full_present': False} |
| overt_ai_marketing | {'count': 0, 'phrases': [], 'prominent': False} |
| structured_data | {'present': True, 'count': 1, 'types': ['Organization', 'WebApplication'], 'aeo_relevant_types': ['Organization', 'WebApplication', 'Offer']} |
| url | https://northwind.app/ |
a11y
| Key | Value |
|---|---|
| available | true |
| form_controls | {'total': 0, 'unlabeled': 0, 'unlabeled_samples': []} |
| headings | {'h1_count': 1, 'order': [1, 2, 2, 2, 3, 3], 'single_h1': True, 'skipped_levels': [], 'well_structured': True} |
| html_lang | {'present': True, 'value': 'en'} |
| images | {'total': 10, 'with_alt': 10, 'missing_alt': 0, 'alt_coverage': 1.0, 'missing_samples': []} |
| interactive_names | {'total': 27, 'unnamed': 0, 'unnamed_samples': []} |
| source | rendered |
| title | {'present': True, 'text': 'Northwind — Grammar & Writing Assistant'} |
| url | https://northwind.app/ |
| viewport | {'present': True, 'content': 'width=device-width, initial-scale=1'} |
headers
| Key | Value |
|---|---|
| leakage | [{'header': 'server', 'value': '[REDACTED:server-banner]'}] |
| meta_csp_present | true |
| missing | ['content-security-policy'] |
| security_headers | {'content-security-policy': {'present': False, 'value': None}, 'strict-transport-security': {'present': True, 'value': 'max-age=63072000; includeSubDomains; preload'}, 'x-frame-options': {'present': True, 'value': 'SAMEORIGIN'}, 'x-content-type-options': {'present': True, 'value': 'nosniff', 'nosniff': True}, 'referrer-policy': {'present': True, 'value': 'strict-origin-when-cross-origin'}, 'permissions-policy': {'present': True, 'value': 'geolocation=()'}} |
dns_email
| Key | Value |
|---|---|
| dkim | {'present': False} |
| dmarc | {'present': False, 'policy': None} |
| domain | northwind.app |
| spf | {'present': False, 'records': []} |
| subdomain_takeover | {'findings': []} |
cookies_tls
| Key | Value |
|---|---|
| insecure_cookies | [] |
| mixed_content | [] |
| tls | {'protocol': 'TLSv1.3', 'not_after': 'Oct 20 23:59:59 2026 GMT', 'days_until_expiry': 120, 'expired': False, 'deprecated_protocol': False} |
js_cve
| Key | Value |
|---|---|
| libraries_scanned | 3 |
| vulnerabilities | [] |
privacy
| Key | Value |
|---|---|
| cookie_consent_present | false |
| findings | 1 items (see bundle/scanners/privacy.json) |
| privacy_policy_present | true |
exposed_secrets
| Key | Value |
|---|---|
| count | 1 |
| exposed_secrets | [{'kind': 'service_key', 'value': '[REDACTED:service-key]', 'url': 'https://northwind.app/static/js/app.js'}] |
| scripts_scanned | 1 |
ops_signals
| Key | Value |
|---|---|
| cdn_waf | {'vendors': ['content-delivery-network'], 'evidence': {'cache-status': '[present]'}} |
| health_endpoints | {'status_page': False, 'health_endpoint': False, 'found_paths': []} |
| hsts | {'present': True, 'max_age': 63072000, 'include_subdomains': True, 'preload': True} |
| questions | ['What uptime do you commit to, and how do you measure it?', 'How often are backups taken, and when did you last test a restore?', 'Who is on call, and what is the escalation path after hours?', 'What is your plan when the writing service goes down?'] |
| rate_limiting | {'retry_after': None, 'rate_limit_headers': []} |
| redirect | {'hops': 1, 'https_upgrade': True, 'final_is_https': True, 'final_status': 200, 'chain': ['http://northwind.app/']} |
| tls | {'protocol': 'TLSv1.3', 'not_after': 'Oct 20 23:59:59 2026 GMT', 'days_until_expiry': 120, 'expired': False, 'expiring_soon': False, 'deprecated_protocol': False} |
Ticket-ready backlog
- ☐ [P0] Revoke the exposed service key and move it server-side — Security · impact: critical · effort: low. The key ships to every visitor; treat it as compromised and rotate now.
- ☐ [P0] Publish email-authentication records — Security · impact: high · effort: low. No sender policy, signing, or anti-fraud rule is published for the domain.
- ☐ [P1] Pre-render the marketing pages so their content is in the source — SEO · impact: high · effort: medium. Search and AI crawlers see an empty shell until the page's code runs.
- ☐ [P1] Add social proof near the primary call to action — Content & Presentation · impact: medium · effort: low. The page offers no third-party credibility signals.
- ☐ [P1] Gate analytics and tracking behind consent — Tech & Analytics · impact: medium · effort: low. Tracking fires before any consent step for EU/UK visitors.
- ☐ [P2] Add health checks, alerting, and a public status page — Operations Map & Automation/AI · impact: medium · effort: medium. An outage is currently discovered through support email.
Tool coverage
10 of 10 scanners produced results.
Ran: a11y, ai_readiness, cookies_tls, dns_email, exposed_secrets, headers, js_cve, ops_signals, privacy, seo.
Limitations & coverage
These dimensions did not complete a full analysis:
- Market & Competitive Research:
skipped_disabled(disabled for this run) — Skipped: market and competitive research was turned off for this run. It needs a web-research backend; re-running with it enabled covers competitors and positioning. - Business Growth:
skipped_disabled(disabled for this run) — Skipped: the growth-experiments review was turned off for this run. Re-running with it enabled looks at the sign-up funnel and conversion levers in depth.