Technical Audit — northwind.app

Generated June 24, 2026 at 11:30 AM PDT · seed https://northwind.app/ · secrets redacted

Methodology & scope

Passive, unauthenticated review of the public website at https://northwind.app/ — seen the way a normal visitor's browser sees it. No logins, no private areas, and nothing was changed. This is an anonymized sample on fictional data.

Residual: Screenshots are not text-redacted. Secret-shaped strings are stripped from captured text (headers, HTML, scanner output) before analysis, but page screenshots are sent to the vision model as raw pixels. A secret rendered visibly on a page — for example an API key shown in an admin panel — is not removed and reaches the model. Treat captured screenshots as sensitive.

How to read this

This is a home inspection, not a report card. We surface everything we find and rank it by seriousness — but not every item is a must-fix, and clearing every flag is not the goal. Some findings (and the B/C grades that reflect them) are reasonable trade-offs for your stage: a deliberate business decision, something sensibly deferred until you need it, or a path that doesn't run in production. Chasing an A in every area — or zero findings — usually means over-engineering, or papering over a real choice. Work the serious items first; accept the trade-offs that fit where you are. A healthy result is no unaddressed serious issues — not straight A's.

Coverage summary

46 checks across 5 areas: 32 passed, 9 flagged, 5 not determined.

AreaPassedFlaggedNot determined
Turning visitors into customers011
Being found1022
Speed & experience600
Trust & safety1450
Growth & operations212

Verified clean

These checks ran and found no issues:

Findings

SEO

Your page's words and links are only built after it loads in a browser

Your search-result description is longer than search engines will show

AI Readiness & Trust

AI answer assistants see a blank page where your selling points should be

Your business description is already machine-readable — a real strength

Performance

Your site loads fast, with room to spare

On phones, the page keeps working in the background longer after it appears

Accessibility

Your before/after demo tells people apart using color only

Some of your lightest gray text may be hard to read

The accessibility basics are strong across the board

Security

A private access key is sitting in your page's public code

Anyone can send email pretending to be your business

Visitor tracking starts before anyone agrees to it

A page-protection rule is set the weaker of the two ways

Your pages quietly announce what they're hosted on

Content & Presentation

Nothing on the page shows that other people trust you

Your pricing promises a discount but never says from what

Tech & Analytics

Your analytics runs without asking permission

You use only the outside services you actually need

Operations Map & Automation/AI

northwind.app runs on a lean managed stack, so the heavy lifting — sign-in, hosting, payments — is already automated. But three concrete gaps still create manual load: account emails that may not arrive, no automatic alarm when the writing service is down, and billing for paid plans that isn't set up to run itself.

Site map

graph TD
  home["/"]
  download["/download"]
  pricing["/#pricing"]
  faq["/faq"]
  contact["/contact"]
  home --> download
  home --> pricing
  home --> faq
  home --> contact

Customer journey

graph LR
  visit[Visit home] --> install[Install extension]
  install --> signin[Sign in]
  signin --> write[Use the writing tool]
  write --> upgrade[Upgrade to paid]

Business process (inferred)

graph TD
  signup[Sign-up] --> email[Automatic account email]
  email --> active[Active user]
  active --> support[Support inbox]

Automation & AI opportunities

Your automatic account emails may not reach customers

Nothing tells you automatically when the writing service is down

Billing for paid plans isn't set up to run on its own yet

Operational signals

Questions for your team

Performance metrics

https://northwind.app/ (source: cdp)

MetricValue
cls0.0235
fcp_ms216
lcp_ms412
load_ms268
ttfb_ms122.9

https://northwind.app/ (mobile) (source: cdp)

MetricValue
cls0
fcp_ms336
lcp_ms512
load_ms1330.5
ttfb_ms124.6

Scanner appendix

Values shown as [REDACTED:…] were secret-shaped and removed before analysis.

seo

KeyValue
canonicalhttps://northwind.app/
h1_count0
hreflang[]
images{'total': 0, 'with_alt': 0, 'missing_alt': 0, 'alt_coverage': 1.0}
json_ld{'count': 1, 'types': []}
meta_description{'text': 'Write with confidence — grammar correction, tone adjustments, and clear rewriting. Available as a browser extension and Google Docs add-on.', 'length': 167}
open_graph{'og:title': 'Northwind — Grammar & Writing Assistant', 'og:image': 'https://northwind.app/og-image.png'}
site_files{'robots_txt_present': True, 'sitemap_present': True, 'sitemap_urls': ['https://northwind.app/sitemap.xml']}
title{'text': 'Northwind — Grammar & Writing Assistant for Chrome & Google Docs', 'length': 56}
twitter{'twitter:card': 'summary_large_image'}

ai_readiness

KeyValue
ai_crawlers{'robots_present': True, 'blanket_disallow_all': False, 'blocked': [], 'allowed': ['answer-engines']}
ai_metadata_leak{'present': False, 'markers': []}
availabletrue
content_extractability{'raw_text_words': 0, 'rendered_text_words': 699, 'ratio': 0.0, 'js_dependent': True, 'threshold': 0.3}
llms_txt{'present': False, 'full_present': False}
overt_ai_marketing{'count': 0, 'phrases': [], 'prominent': False}
structured_data{'present': True, 'count': 1, 'types': ['Organization', 'WebApplication'], 'aeo_relevant_types': ['Organization', 'WebApplication', 'Offer']}
urlhttps://northwind.app/

a11y

KeyValue
availabletrue
form_controls{'total': 0, 'unlabeled': 0, 'unlabeled_samples': []}
headings{'h1_count': 1, 'order': [1, 2, 2, 2, 3, 3], 'single_h1': True, 'skipped_levels': [], 'well_structured': True}
html_lang{'present': True, 'value': 'en'}
images{'total': 10, 'with_alt': 10, 'missing_alt': 0, 'alt_coverage': 1.0, 'missing_samples': []}
interactive_names{'total': 27, 'unnamed': 0, 'unnamed_samples': []}
sourcerendered
title{'present': True, 'text': 'Northwind — Grammar & Writing Assistant'}
urlhttps://northwind.app/
viewport{'present': True, 'content': 'width=device-width, initial-scale=1'}

headers

KeyValue
leakage[{'header': 'server', 'value': '[REDACTED:server-banner]'}]
meta_csp_presenttrue
missing['content-security-policy']
security_headers{'content-security-policy': {'present': False, 'value': None}, 'strict-transport-security': {'present': True, 'value': 'max-age=63072000; includeSubDomains; preload'}, 'x-frame-options': {'present': True, 'value': 'SAMEORIGIN'}, 'x-content-type-options': {'present': True, 'value': 'nosniff', 'nosniff': True}, 'referrer-policy': {'present': True, 'value': 'strict-origin-when-cross-origin'}, 'permissions-policy': {'present': True, 'value': 'geolocation=()'}}

dns_email

KeyValue
dkim{'present': False}
dmarc{'present': False, 'policy': None}
domainnorthwind.app
spf{'present': False, 'records': []}
subdomain_takeover{'findings': []}

cookies_tls

KeyValue
insecure_cookies[]
mixed_content[]
tls{'protocol': 'TLSv1.3', 'not_after': 'Oct 20 23:59:59 2026 GMT', 'days_until_expiry': 120, 'expired': False, 'deprecated_protocol': False}

js_cve

KeyValue
libraries_scanned3
vulnerabilities[]

privacy

KeyValue
cookie_consent_presentfalse
findings1 items (see bundle/scanners/privacy.json)
privacy_policy_presenttrue

exposed_secrets

KeyValue
count1
exposed_secrets[{'kind': 'service_key', 'value': '[REDACTED:service-key]', 'url': 'https://northwind.app/static/js/app.js'}]
scripts_scanned1

ops_signals

KeyValue
cdn_waf{'vendors': ['content-delivery-network'], 'evidence': {'cache-status': '[present]'}}
health_endpoints{'status_page': False, 'health_endpoint': False, 'found_paths': []}
hsts{'present': True, 'max_age': 63072000, 'include_subdomains': True, 'preload': True}
questions['What uptime do you commit to, and how do you measure it?', 'How often are backups taken, and when did you last test a restore?', 'Who is on call, and what is the escalation path after hours?', 'What is your plan when the writing service goes down?']
rate_limiting{'retry_after': None, 'rate_limit_headers': []}
redirect{'hops': 1, 'https_upgrade': True, 'final_is_https': True, 'final_status': 200, 'chain': ['http://northwind.app/']}
tls{'protocol': 'TLSv1.3', 'not_after': 'Oct 20 23:59:59 2026 GMT', 'days_until_expiry': 120, 'expired': False, 'expiring_soon': False, 'deprecated_protocol': False}

Ticket-ready backlog

Tool coverage

10 of 10 scanners produced results.

Ran: a11y, ai_readiness, cookies_tls, dns_email, exposed_secrets, headers, js_cve, ops_signals, privacy, seo.

Limitations & coverage

These dimensions did not complete a full analysis: