Website health briefing — northwind.app
Generated June 24, 2026 at 11:30 AM PDT · https://northwind.app/
We reviewed your public website the way a normal visitor sees it — no logins, no private areas, and nothing was changed.
What this is
Northwind is a writing and grammar assistant delivered as a browser extension and a Google Docs add-on. It checks and rewrites text for grammar, tone, and clarity, and is free during a public beta.
Our view
This is a well-built, professional product in good shape — it loads exceptionally fast, looks polished and distinctive, and is easy for anyone to use. There is one emergency to handle today: a private key was left in the code your page hands every visitor, and it should be revoked right away. After that, the most valuable fixes are protecting your business email from impersonation, making your content visible to search engines and AI assistants, and adding outside proof that people trust you. None of these are hard, and clearing them moves you from a failing grade to a strong one. There are also a handful of minor housekeeping notes worth a quick pass when it's convenient.
What's working well
- Your site is genuinely fast — it appears almost instantly on computers and phones.
- The design is polished and distinctive, with a clean editorial look that signals quality.
- The site is easy for everyone to use, including people who rely on assistive tools.
- Your core web security is sound — visitor traffic is encrypted and the connection is locked down.
- The marketing copy is clear and persuasive, with concrete examples of who it's for.
- The technology behind the site is lean — only the outside services you actually need, with no tracker clutter.
What we checked
Of the checks we ran, 32 came back clean.
Here's what's holding up well, area by area:
⚠️ Being found — 10 of 14 passed clean
- ✓ Page has a title — no issues found
- ✓ Search-result description present — no issues found
- ✓ Marks the main version of a page — no issues found
- ✓ Structured data for search — no issues found
- …and 6 more checks passed clean
- ⚠️ Has a main heading — needs attention (see "What deserves your attention")
- ⚠️ Content readable without JavaScript — needs attention (see "What deserves your attention")
- ◽ Other-language versions are linked — we couldn't confirm this run
- ◽ AI guidance file — we couldn't confirm this run
✓ Speed & experience — 6 of 6 passed clean
- ✓ Page declares its language — no issues found
- ✓ Works well on phones — no issues found
- ✓ Clear heading structure — no issues found
- ✓ Links and buttons have descriptive labels — no issues found
- …and 2 more checks passed clean
⚠️ Trust & safety — 14 of 19 passed clean
- ✓ Secure connection — no issues found
- ✓ Modern encryption — no issues found
- ✓ Certificate not expiring soon — no issues found
- ✓ Cookies set securely — no issues found
- …and 10 more checks passed clean
- ⚠️ Limits which code can run on your pages — needs attention (see "What deserves your attention")
- ⚠️ Doesn't reveal its hosting/tech — needs attention (see "What deserves your attention")
- ⚠️ Email anti-spoofing — needs attention (see "What deserves your attention")
- ⚠️ Email signing — needs attention (see "What deserves your attention")
- ⚠️ Email anti-fraud policy — needs attention (see "What deserves your attention")
⚠️ Growth & operations — 2 of 5 passed clean
- ✓ Privacy policy present — no issues found
- ✓ Behind a content-delivery and filtering service — no issues found
- ⚠️ Cookie-consent banner — needs attention (see "What deserves your attention")
- ◽ Health-check endpoint (a web address other tools can reach) — we couldn't confirm this run
- ◽ Rate limiting in place — we couldn't confirm this run
How to read this
We grade each area from A to F, and a straight-A result IS the goal — an A means an area is in genuinely good shape. Below, for every area scoring under an A, we show exactly what's holding the grade down and why it matters to your business, so you know precisely what to fix to get there.
Some lower grades, though, are the RIGHT call for where you are right now: a deliberate business decision, something sensibly deferred until you actually need it, or a path that never runs in front of customers. Those are trade-offs, not flaws — and where a B or C is a reasonable trade-off for your stage rather than a real gap, we say so explicitly next to the item. Work the serious items first, and keep the trade-offs you've made on purpose.
Since your last run
This is your first tracked run — future runs will show your progress here, so you can see what improved and what's new at a glance.
At a glance
Here's every area we reviewed, ordered by how much it affects your business — most impactful first. Each line is what the area covers and how it's doing. The "things to address" counts here are the issues we found; the full detail for each one is in "What deserves your attention" below, and "Everything we checked" lists every individual check behind these areas.
- Turning visitors into customers — grade C. Whether the people who visit your site actually sign up, buy, or get in touch. a few things to tighten — 2 things to address. Top concern: Nothing on the page proves other people trust you.
- Being found — grade B. Whether new customers can discover you through Google and other search engines. needs attention ⚠️ — 3 things to address. Top concern: Search engines and AI assistants can't see your page's words or links.
- Speed & experience — grade C. Whether your site loads quickly and is easy and pleasant to use on any device. a few things to tighten — 3 things to address. Top concern: Your before/after demo relies on color alone.
- Trust & safety — grade F. Whether your customers' data and payments are protected and the site is safe to use. needs attention ⚠️ — 4 things to address. Top concern: A private key is exposed in your page's public code.
- Growth & operations — grade D. Whether you have the tools to see what's working and run the business smoothly. needs attention ⚠️ — 4 things to address. Top concern: Your automatic account emails may not reach customers.
The biggest risks
Where separate problems combine into something more serious than any one alone:
- A private key is exposed in your public code AND your email can be impersonated — together that gives an attacker both a working credential and a believable way to phish your customers with it.
- Search engines and AI assistants both can't read your page AND there's no outside proof of trust — so new visitors are hard to reach and, once they arrive, have little reason to believe you.
- Account emails may not arrive AND there's no alert when the service is down — so a quiet failure can frustrate new customers for hours before you hear about it.
How this audit was done
This is an automated audit of your website, on 2026-06-24, — it examines your website and reasons over it the way an experienced reviewer would. It's a first pass, not a human sign-off: treat the most serious items as a prompt to look closer rather than a guarantee, and see "What we couldn't fully check" at the end for where the audit was limited.
lens runs 86 checks for your website; on this run we examined 84 of them across 5 areas — covering security, reliability, cost, and growth. Some were turned off for this run (see "What we couldn't fully check" below); "Everything we checked" lists each one, grouped by area.
What deserves your attention
These are ordered by how serious they are. Start at the top.
Major concerns
Being found
1. Search engines and AI assistants can't see your page's words or links
Your page is assembled inside each visitor's browser, so search engines and AI assistants often see an almost-empty page — and the wording and links that should bring you new customers are invisible to them.
2. AI assistants can't see what makes you different
When someone asks an AI assistant for a recommendation, it reads your plain page — which is nearly empty — so your real selling points are invisible and you get described generically, if at all.
Trust & safety
1. A private key is exposed in your page's public code
A secret meant to stay on your servers was bundled into the code every visitor downloads, so anyone can copy it and run up charges or reach data it unlocks. This is the single most urgent thing to fix.
2. Anyone can send email pretending to be your business
Your domain has none of the standard protections that prove an email really came from you, which invites scams aimed at your customers and pushes your own sign-up and billing emails into spam.
Growth & operations
1. Your automatic account emails may not reach customers
Sign-up and password-reset emails are sent automatically from your domain, but because it has no email-authentication protection they're easily faked and often land in spam — turning a new customer's first step into a support ticket.
Should fix
Turning visitors into customers
1. Nothing on the page proves other people trust you
You ask first-time visitors to install a tool that reads what they type, but show no reviews, ratings, install counts, or familiar names — so more visitors hesitate and leave right when they're deciding to sign up.
Speed & experience
1. Your before/after demo relies on color alone
The correction examples that prove your tool works mark 'before' and 'after' with red and green only, so color-blind visitors and anyone in bright sunlight can't tell which side is the fix — turning your best proof into confusion.
Trust & safety
1. Visitor tracking starts before asking permission
Tracking begins the moment the page opens, with no consent prompt — which can break privacy law for the European and UK visitors a tool like this attracts.
Growth & operations
1. Your analytics runs without asking permission
Your visitor analytics starts tracking the moment the page loads, which needs consent first for European and UK visitors — and without it your own measurement will degrade as the rules tighten.
2. Nothing alerts you automatically when the service goes down
The core writing feature has no health check or status page, so you learn about outages from a wave of 'is it broken?' emails instead of an automatic alert — meaning slower fixes and more support load.
3. Billing for paid plans isn't set up to run itself
Your pricing promises beta users a discount at launch, but granting discounts, chasing failed payments, and handling cancellations by hand would make launch day a recurring manual chore instead of a one-time setup.
Minor
Turning visitors into customers
1. Your pricing promises a discount but not from what
Telling beta users they'll get 'a discount' with no reference price means they can't tell what they're locking in now, which softens the urgency to sign up.
Being found
1. Your search-result description gets cut off
The summary shown under your title in search results is too long, so the end of your pitch never reaches the people deciding whether to click.
Speed & experience
1. On phones, the page works in the background a while after it appears
The page looks ready quickly, but on slower phones it keeps doing work behind the scenes afterward, which can feel a little sluggish to tap. Worth watching as you grow.
2. Some of your lightest gray text may be hard to read
Low-contrast text is the most common readability complaint and especially affects older visitors and people on phones outdoors — a meaningful part of a broad audience.
Trust & safety
1. A page-protection rule is set the weaker way
You have a strong rule limiting which code can run on your pages, but it's delivered in the form browsers only partly enforce and that can't report abuse.
Everything we checked
Even where everything's fine, here's what we looked at — so you can see the review was thorough, not just a list of problems. Each area shows the individual checks we ran and the specific things the reviewer weighed.
Turning visitors into customers — 3 of 5 checks OK
Whether the people who visit your site actually sign up, buy, or get in touch.
We confirmed 3 of 5 individual checks here; 1 check needs attention; 1 check we couldn't confirm this run.
- ⚠️ Clear, persuasive content
Whether your wording quickly explains what you offer and convinces visitors it's worth their time. This one isn't in place yet — a worthwhile improvement to make when you can. - ◽ Conversion basics (sign-up path, trust signals)
Whether the path from landing on your site to signing up is clear and convincing. We couldn't confirm this on this run.
We also weighed these, and they're in good shape unless flagged in the findings above:
- What you offer is clear the moment the page loads, before any scrolling
- The buttons telling visitors what to do next are clear and persuasive
- The wording reads well and includes signals that build visitor trust
Being found — 21 of 25 checks OK
Whether new customers can discover you through Google and other search engines.
We confirmed 21 of 25 individual checks here; 2 checks need attention; 2 checks we couldn't confirm this run.
- ⚠️ Has a main heading
A clear top headline tells visitors and Google what the page is about at a glance. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Content readable without JavaScript
Whether your words are visible to AI crawlers, which usually don't run JavaScript the way a web browser does. Found on your website — review and address (most of your text only appears after JavaScript runs, so AI crawlers may not see it). - ✅ Page has a title
The headline shown in search results and browser tabs; it's the first thing people see when deciding whether to click. It's correctly set up — no changes needed. - ✅ Search-result description present
The short summary under your title in search results; a good one persuades more people to click through to you. It's correctly set up — no changes needed. - ✅ Marks the main version of a page
Tells search engines which version of a page is the main one, so your ranking isn't split across duplicates. It's correctly set up — no changes needed. - ✅ Structured data for search
Extra labels that help Google show rich results like star ratings or prices, making your listing stand out. It's correctly set up — no changes needed. - ✅ Social link previews
Controls the title, image, and text shown when your link is shared on social media, so it looks appealing. It's correctly set up — no changes needed. - ✅ Twitter/X link preview
Controls how your link looks when shared on Twitter/X, so it shows a proper preview instead of a bare address. It's correctly set up — no changes needed. - ✅ Images have text descriptions
Short text descriptions of images so search engines and visitors using screen readers understand what each picture shows. It's correctly set up — no changes needed. - ✅ Search-crawler rules present
A robots.txt file and page-level rules tell search engines which pages they may show, so important pages aren't accidentally hidden from search. It's correctly set up — no changes needed. - ✅ AI assistants allowed to read your site
Whether the rules in your site's crawler file let AI answer engines read your pages so they can recommend you to people who ask. It's correctly set up — no changes needed. - ✅ Structured data AI answers can use
Machine-readable labels about your product, business, and FAQs that AI answer engines rely on to quote you accurately. It's correctly set up — no changes needed. - ◽ Other-language versions are linked
Tells search engines about other-language versions of a page, so visitors are shown the right one for them. We couldn't confirm this on this run. - ◽ AI guidance file
A simple text file that points AI assistants like ChatGPT and Perplexity straight to your most important content. This optional file isn't published yet — an emerging, nice-to-have standard as AI search grows.
We also weighed these, and they're in good shape unless flagged in the findings above:
- Each page has its own title and description for search results
- Search engines are told clearly which version of each page to index and where to find them all
- Headings are well-structured and images have meaningful descriptions
- Your content can be read by search and AI crawlers, not hidden behind code they can't run
- Pages include the machine-readable details that search and AI engines use to understand them
- How you treat AI crawlers is a deliberate choice, not an accidental block
- Any AI in the product is presented honestly, around the benefit to the customer
- Internal AI-generation details don't show up on your public pages
- The main competitors and alternatives have been identified
- There's a clear read on what sets you apart and how you're positioned
- Every claim in the research is backed by a source
Speed & experience — 16 of 16 checks OK
Whether your site loads quickly and is easy and pleasant to use on any device.
- ✅ Page declares its language
Tells browsers and screen readers what language your page is written in, so it's read aloud and offered for translation correctly. It's correctly set up — no changes needed. - ✅ Works well on phones
A small setting that tells phones to fit the page to the screen and allow pinch-to-zoom, so visitors on mobile aren't stuck scrolling sideways. It's correctly set up — no changes needed. - ✅ Clear heading structure
Well-organised headings let visitors — and people using screen readers — scan your page and jump straight to the part they need. It's correctly set up — no changes needed. - ✅ Links and buttons have descriptive labels
Links and buttons need words a screen reader can announce; an icon-only one with no label leaves those visitors with no idea what it does. It's correctly set up — no changes needed. - ✅ Page loading speed
We measured this on a phone: your homepage's main content appears in 0.5s (desktop 0.4s). Google ranks on the mobile experience and treats under 2.5s as 'good' and over 4.0s as 'slow' — most visitors are on phones, so mobile speed is what counts most. That's in the 'good' range on mobile — no changes needed. - ✅ Visual design and mobile layout
Whether your site looks professional and works well on phones, where most visitors first meet your brand. It's correctly set up — no changes needed.
We also weighed these, and they're in good shape unless flagged in the findings above:
- Your main pages show their content quickly
- Pages don't jump around as they load and respond promptly to taps and clicks
- No heavy files are holding up how fast the page appears
- Images describe themselves for screen readers and the page states its language
- Forms, links, and buttons are clearly labeled so everyone can use them
- Page headings follow a clean, logical outline
- The site is set up to display properly on phones
- The page is laid out cleanly so visitors' eyes go to the right things
- Text is easy to read and colors are easy on the eyes for everyone
- Nothing looks broken or runs off the screen on a phone
Trust & safety — 21 of 26 checks OK
Whether your customers' data and payments are protected and the site is safe to use.
We confirmed 21 of 26 individual checks here; 5 checks need attention.
- ⚠️ Limits which code can run on your pages
An extra layer of protection that limits which code is allowed to run on your pages, so a stray or tampered script has far less room to cause harm. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Doesn't reveal its hosting/tech
Checks your site isn't broadcasting the software and hosting it runs on, which gives attackers a head start. Found on your website — review and address (reveals [REDACTED:server-banner]). - ⚠️ Email anti-spoofing
Lets mail servers verify that emails claiming to be from your domain are really yours, so scammers can't impersonate you. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Email signing
Adds a tamper-proof signature to your emails so recipients can trust they genuinely came from you and weren't altered. This one isn't in place yet — a worthwhile improvement to make when you can. - ⚠️ Email anti-fraud policy
Tells other mail servers what to do with fake emails pretending to be from you, stopping scammers using your name. This one isn't in place yet — a worthwhile improvement to make when you can. - ✅ Secure connection
Encrypts the connection between visitors and your site so no one can snoop on or tamper with what's sent. It's correctly set up — no changes needed. - ✅ Modern encryption
The latest, fastest version of that encryption, giving visitors stronger protection and quicker secure connections. It's correctly set up — no changes needed. - ✅ Certificate not expiring soon
The security certificate behind the padlock; if it lapses, browsers warn visitors away with a scary error. It's correctly set up — no changes needed. - ✅ Cookies set securely
Makes sure the small files your site stores on visitors' devices can't be read or stolen over an insecure connection. It's correctly set up — no changes needed. - ✅ No insecure content on a secure page
Checks that every part of a secure page also loads securely, so nothing on it can be tampered with in transit. It's correctly set up — no changes needed. - ✅ Forces secure connections
Tells browsers to always use the secure version of your site, so visitors can't be downgraded to an insecure connection. It's correctly set up — no changes needed. - ✅ Blocks clickjacking
Stops other sites from secretly embedding yours to trick visitors into clicking things they didn't mean to. It's correctly set up — no changes needed. - ✅ Stops browsers from guessing file types
Stops browsers from guessing file types, which can otherwise be tricked into running a harmful file as code. It's correctly set up — no changes needed. - ✅ Limits what's shared with sites you link to
Controls how much about your pages is shared with other sites visitors click through to, protecting their privacy. It's correctly set up — no changes needed. - ✅ Limits which device features pages can use
Limits which device features, like camera or location, your pages can use, reducing what a hijacked page could abuse. It's correctly set up — no changes needed. - ✅ No subdomain-takeover risk
Checks you have no abandoned subdomains an attacker could claim and use to impersonate your brand. It's correctly set up — no changes needed. - ✅ No known vulnerable libraries
Checks the third-party code your site relies on has no publicly known security holes that attackers actively exploit. It's correctly set up — no changes needed. - ✅ Visitor data sent privately
Makes sure personal details visitors enter are sent over a secure connection, never in plain text others could read. It's correctly set up — no changes needed. - ✅ No behind-the-scenes AI details leak publicly
Checks that the behind-the-scenes details of any AI used to build your pages — things like prompts, model names, or cost notes — aren't left visible in your page's code for anyone to read. It's correctly set up — no changes needed.
We also weighed these, and they're in good shape unless flagged in the findings above:
- The site sends the right safety settings to visitors' browsers
- Cookies are set securely and every part of the page loads over a safe connection
- The site doesn't leak internal version or error details that help an attacker
- No private keys are exposed in the code that runs in visitors' browsers
- Your email is set up so messages from your domain can't be easily faked
- Inline scripts are allowed by a nonce or hash, not 'unsafe-inline', and aren't blocked by the page's own CSP
- No React hydration mismatch (server HTML matches the client's first render)
Growth & operations — 9 of 12 checks OK
Whether you have the tools to see what's working and run the business smoothly.
We confirmed 9 of 12 individual checks here; 1 check needs attention; 2 checks we couldn't confirm this run.
- ⚠️ Cookie-consent banner
Asks visitors' permission before using tracking cookies, which many privacy laws require you to do. This one isn't in place yet — a worthwhile improvement to make when you can. - ✅ Privacy policy present
A page explaining how you handle visitors' data; customers expect it and it's often legally required. It's correctly set up — no changes needed. - ✅ Behind a content-delivery and filtering service
A service that speeds up your site worldwide and filters out malicious traffic before it reaches you. It's correctly set up — no changes needed. - ◽ Health-check endpoint (a web address other tools can reach)
A simple status address monitoring tools can ping to confirm your site is up, so you hear about outages fast. We couldn't confirm this on this run. - ◽ Rate limiting in place
Caps how many requests one source can make, protecting your site from abuse and overload. We couldn't confirm this on this run.
We also weighed these, and they're in good shape unless flagged in the findings above:
- You're measuring visitor behavior on the pages that matter
- Visitor consent is handled where the law requires it
- Outside scripts on the page are limited to the ones you actually need
- The workflow diagrams are based on the tools actually detected on your site
- Each suggested automation names a specific tool and the manual step it would save
- Anything the review inferred is labeled by how confident it is and limited to what's publicly visible
- The links your own pages point to actually work — no dead 'page not found' links
What to do next
In priority order — start at the top and work down.
- Revoke and replace the exposed key today, then move it somewhere it never ships to visitors' browsers.
- Protect your business email so messages can't be faked and your own account emails reach customers.
- Make your content visible to search engines and AI assistants by delivering it in the page's source.
- Add proof that people trust you — reviews, ratings, install counts, or familiar names — near the sign-up button.
- Ask permission before tracking, and get ready to run smoothly as you grow: alerts, a status page, and self-serve billing — plus a quick pass over the minor housekeeping notes.
What we couldn't fully check
Every review has limits — this was an automated check, not an exhaustive one. Here's what this run could NOT fully assess, and exactly why; re-running covers these:
- Market & Competitive Research — this area was turned off for this run — re-running with it on covers it
- Business Growth — this area was turned off for this run — re-running with it on covers it