Website health briefing — northwind.app

Generated June 24, 2026 at 11:30 AM PDT · https://northwind.app/

We reviewed your public website the way a normal visitor sees it — no logins, no private areas, and nothing was changed.

What this is

Northwind is a writing and grammar assistant delivered as a browser extension and a Google Docs add-on. It checks and rewrites text for grammar, tone, and clarity, and is free during a public beta.

Our view

This is a well-built, professional product in good shape — it loads exceptionally fast, looks polished and distinctive, and is easy for anyone to use. There is one emergency to handle today: a private key was left in the code your page hands every visitor, and it should be revoked right away. After that, the most valuable fixes are protecting your business email from impersonation, making your content visible to search engines and AI assistants, and adding outside proof that people trust you. None of these are hard, and clearing them moves you from a failing grade to a strong one. There are also a handful of minor housekeeping notes worth a quick pass when it's convenient.

What's working well

What we checked

Of the checks we ran, 32 came back clean.

Here's what's holding up well, area by area:

⚠️ Being found — 10 of 14 passed clean

✓ Speed & experience — 6 of 6 passed clean

⚠️ Trust & safety — 14 of 19 passed clean

⚠️ Growth & operations — 2 of 5 passed clean

How to read this

We grade each area from A to F, and a straight-A result IS the goal — an A means an area is in genuinely good shape. Below, for every area scoring under an A, we show exactly what's holding the grade down and why it matters to your business, so you know precisely what to fix to get there.

Some lower grades, though, are the RIGHT call for where you are right now: a deliberate business decision, something sensibly deferred until you actually need it, or a path that never runs in front of customers. Those are trade-offs, not flaws — and where a B or C is a reasonable trade-off for your stage rather than a real gap, we say so explicitly next to the item. Work the serious items first, and keep the trade-offs you've made on purpose.

Since your last run

This is your first tracked run — future runs will show your progress here, so you can see what improved and what's new at a glance.

At a glance

Here's every area we reviewed, ordered by how much it affects your business — most impactful first. Each line is what the area covers and how it's doing. The "things to address" counts here are the issues we found; the full detail for each one is in "What deserves your attention" below, and "Everything we checked" lists every individual check behind these areas.

The biggest risks

Where separate problems combine into something more serious than any one alone:

  1. A private key is exposed in your public code AND your email can be impersonated — together that gives an attacker both a working credential and a believable way to phish your customers with it.
  2. Search engines and AI assistants both can't read your page AND there's no outside proof of trust — so new visitors are hard to reach and, once they arrive, have little reason to believe you.
  3. Account emails may not arrive AND there's no alert when the service is down — so a quiet failure can frustrate new customers for hours before you hear about it.

How this audit was done

This is an automated audit of your website, on 2026-06-24, — it examines your website and reasons over it the way an experienced reviewer would. It's a first pass, not a human sign-off: treat the most serious items as a prompt to look closer rather than a guarantee, and see "What we couldn't fully check" at the end for where the audit was limited.

lens runs 86 checks for your website; on this run we examined 84 of them across 5 areas — covering security, reliability, cost, and growth. Some were turned off for this run (see "What we couldn't fully check" below); "Everything we checked" lists each one, grouped by area.

What deserves your attention

These are ordered by how serious they are. Start at the top.

Major concerns

Being found

1. Search engines and AI assistants can't see your page's words or links

Your page is assembled inside each visitor's browser, so search engines and AI assistants often see an almost-empty page — and the wording and links that should bring you new customers are invisible to them.

2. AI assistants can't see what makes you different

When someone asks an AI assistant for a recommendation, it reads your plain page — which is nearly empty — so your real selling points are invisible and you get described generically, if at all.

Trust & safety

1. A private key is exposed in your page's public code

A secret meant to stay on your servers was bundled into the code every visitor downloads, so anyone can copy it and run up charges or reach data it unlocks. This is the single most urgent thing to fix.

2. Anyone can send email pretending to be your business

Your domain has none of the standard protections that prove an email really came from you, which invites scams aimed at your customers and pushes your own sign-up and billing emails into spam.

Growth & operations

1. Your automatic account emails may not reach customers

Sign-up and password-reset emails are sent automatically from your domain, but because it has no email-authentication protection they're easily faked and often land in spam — turning a new customer's first step into a support ticket.

Should fix

Turning visitors into customers

1. Nothing on the page proves other people trust you

You ask first-time visitors to install a tool that reads what they type, but show no reviews, ratings, install counts, or familiar names — so more visitors hesitate and leave right when they're deciding to sign up.

Speed & experience

1. Your before/after demo relies on color alone

The correction examples that prove your tool works mark 'before' and 'after' with red and green only, so color-blind visitors and anyone in bright sunlight can't tell which side is the fix — turning your best proof into confusion.

Trust & safety

1. Visitor tracking starts before asking permission

Tracking begins the moment the page opens, with no consent prompt — which can break privacy law for the European and UK visitors a tool like this attracts.

Growth & operations

1. Your analytics runs without asking permission

Your visitor analytics starts tracking the moment the page loads, which needs consent first for European and UK visitors — and without it your own measurement will degrade as the rules tighten.

2. Nothing alerts you automatically when the service goes down

The core writing feature has no health check or status page, so you learn about outages from a wave of 'is it broken?' emails instead of an automatic alert — meaning slower fixes and more support load.

3. Billing for paid plans isn't set up to run itself

Your pricing promises beta users a discount at launch, but granting discounts, chasing failed payments, and handling cancellations by hand would make launch day a recurring manual chore instead of a one-time setup.

Minor

Turning visitors into customers

1. Your pricing promises a discount but not from what

Telling beta users they'll get 'a discount' with no reference price means they can't tell what they're locking in now, which softens the urgency to sign up.

Being found

1. Your search-result description gets cut off

The summary shown under your title in search results is too long, so the end of your pitch never reaches the people deciding whether to click.

Speed & experience

1. On phones, the page works in the background a while after it appears

The page looks ready quickly, but on slower phones it keeps doing work behind the scenes afterward, which can feel a little sluggish to tap. Worth watching as you grow.

2. Some of your lightest gray text may be hard to read

Low-contrast text is the most common readability complaint and especially affects older visitors and people on phones outdoors — a meaningful part of a broad audience.

Trust & safety

1. A page-protection rule is set the weaker way

You have a strong rule limiting which code can run on your pages, but it's delivered in the form browsers only partly enforce and that can't report abuse.

Everything we checked

Even where everything's fine, here's what we looked at — so you can see the review was thorough, not just a list of problems. Each area shows the individual checks we ran and the specific things the reviewer weighed.

Turning visitors into customers — 3 of 5 checks OK

Whether the people who visit your site actually sign up, buy, or get in touch.

We confirmed 3 of 5 individual checks here; 1 check needs attention; 1 check we couldn't confirm this run.

  1. ⚠️ Clear, persuasive content
    Whether your wording quickly explains what you offer and convinces visitors it's worth their time. This one isn't in place yet — a worthwhile improvement to make when you can.
  2. Conversion basics (sign-up path, trust signals)
    Whether the path from landing on your site to signing up is clear and convincing. We couldn't confirm this on this run.

We also weighed these, and they're in good shape unless flagged in the findings above:

Being found — 21 of 25 checks OK

Whether new customers can discover you through Google and other search engines.

We confirmed 21 of 25 individual checks here; 2 checks need attention; 2 checks we couldn't confirm this run.

  1. ⚠️ Has a main heading
    A clear top headline tells visitors and Google what the page is about at a glance. This one isn't in place yet — a worthwhile improvement to make when you can.
  2. ⚠️ Content readable without JavaScript
    Whether your words are visible to AI crawlers, which usually don't run JavaScript the way a web browser does. Found on your website — review and address (most of your text only appears after JavaScript runs, so AI crawlers may not see it).
  3. Page has a title
    The headline shown in search results and browser tabs; it's the first thing people see when deciding whether to click. It's correctly set up — no changes needed.
  4. Search-result description present
    The short summary under your title in search results; a good one persuades more people to click through to you. It's correctly set up — no changes needed.
  5. Marks the main version of a page
    Tells search engines which version of a page is the main one, so your ranking isn't split across duplicates. It's correctly set up — no changes needed.
  6. Structured data for search
    Extra labels that help Google show rich results like star ratings or prices, making your listing stand out. It's correctly set up — no changes needed.
  7. Social link previews
    Controls the title, image, and text shown when your link is shared on social media, so it looks appealing. It's correctly set up — no changes needed.
  8. Twitter/X link preview
    Controls how your link looks when shared on Twitter/X, so it shows a proper preview instead of a bare address. It's correctly set up — no changes needed.
  9. Images have text descriptions
    Short text descriptions of images so search engines and visitors using screen readers understand what each picture shows. It's correctly set up — no changes needed.
  10. Search-crawler rules present
    A robots.txt file and page-level rules tell search engines which pages they may show, so important pages aren't accidentally hidden from search. It's correctly set up — no changes needed.
  11. AI assistants allowed to read your site
    Whether the rules in your site's crawler file let AI answer engines read your pages so they can recommend you to people who ask. It's correctly set up — no changes needed.
  12. Structured data AI answers can use
    Machine-readable labels about your product, business, and FAQs that AI answer engines rely on to quote you accurately. It's correctly set up — no changes needed.
  13. Other-language versions are linked
    Tells search engines about other-language versions of a page, so visitors are shown the right one for them. We couldn't confirm this on this run.
  14. AI guidance file
    A simple text file that points AI assistants like ChatGPT and Perplexity straight to your most important content. This optional file isn't published yet — an emerging, nice-to-have standard as AI search grows.

We also weighed these, and they're in good shape unless flagged in the findings above:

Speed & experience — 16 of 16 checks OK

Whether your site loads quickly and is easy and pleasant to use on any device.

  1. Page declares its language
    Tells browsers and screen readers what language your page is written in, so it's read aloud and offered for translation correctly. It's correctly set up — no changes needed.
  2. Works well on phones
    A small setting that tells phones to fit the page to the screen and allow pinch-to-zoom, so visitors on mobile aren't stuck scrolling sideways. It's correctly set up — no changes needed.
  3. Clear heading structure
    Well-organised headings let visitors — and people using screen readers — scan your page and jump straight to the part they need. It's correctly set up — no changes needed.
  4. Links and buttons have descriptive labels
    Links and buttons need words a screen reader can announce; an icon-only one with no label leaves those visitors with no idea what it does. It's correctly set up — no changes needed.
  5. Page loading speed
    We measured this on a phone: your homepage's main content appears in 0.5s (desktop 0.4s). Google ranks on the mobile experience and treats under 2.5s as 'good' and over 4.0s as 'slow' — most visitors are on phones, so mobile speed is what counts most. That's in the 'good' range on mobile — no changes needed.
  6. Visual design and mobile layout
    Whether your site looks professional and works well on phones, where most visitors first meet your brand. It's correctly set up — no changes needed.

We also weighed these, and they're in good shape unless flagged in the findings above:

Trust & safety — 21 of 26 checks OK

Whether your customers' data and payments are protected and the site is safe to use.

We confirmed 21 of 26 individual checks here; 5 checks need attention.

  1. ⚠️ Limits which code can run on your pages
    An extra layer of protection that limits which code is allowed to run on your pages, so a stray or tampered script has far less room to cause harm. This one isn't in place yet — a worthwhile improvement to make when you can.
  2. ⚠️ Doesn't reveal its hosting/tech
    Checks your site isn't broadcasting the software and hosting it runs on, which gives attackers a head start. Found on your website — review and address (reveals [REDACTED:server-banner]).
  3. ⚠️ Email anti-spoofing
    Lets mail servers verify that emails claiming to be from your domain are really yours, so scammers can't impersonate you. This one isn't in place yet — a worthwhile improvement to make when you can.
  4. ⚠️ Email signing
    Adds a tamper-proof signature to your emails so recipients can trust they genuinely came from you and weren't altered. This one isn't in place yet — a worthwhile improvement to make when you can.
  5. ⚠️ Email anti-fraud policy
    Tells other mail servers what to do with fake emails pretending to be from you, stopping scammers using your name. This one isn't in place yet — a worthwhile improvement to make when you can.
  6. Secure connection
    Encrypts the connection between visitors and your site so no one can snoop on or tamper with what's sent. It's correctly set up — no changes needed.
  7. Modern encryption
    The latest, fastest version of that encryption, giving visitors stronger protection and quicker secure connections. It's correctly set up — no changes needed.
  8. Certificate not expiring soon
    The security certificate behind the padlock; if it lapses, browsers warn visitors away with a scary error. It's correctly set up — no changes needed.
  9. Cookies set securely
    Makes sure the small files your site stores on visitors' devices can't be read or stolen over an insecure connection. It's correctly set up — no changes needed.
  10. No insecure content on a secure page
    Checks that every part of a secure page also loads securely, so nothing on it can be tampered with in transit. It's correctly set up — no changes needed.
  11. Forces secure connections
    Tells browsers to always use the secure version of your site, so visitors can't be downgraded to an insecure connection. It's correctly set up — no changes needed.
  12. Blocks clickjacking
    Stops other sites from secretly embedding yours to trick visitors into clicking things they didn't mean to. It's correctly set up — no changes needed.
  13. Stops browsers from guessing file types
    Stops browsers from guessing file types, which can otherwise be tricked into running a harmful file as code. It's correctly set up — no changes needed.
  14. Limits what's shared with sites you link to
    Controls how much about your pages is shared with other sites visitors click through to, protecting their privacy. It's correctly set up — no changes needed.
  15. Limits which device features pages can use
    Limits which device features, like camera or location, your pages can use, reducing what a hijacked page could abuse. It's correctly set up — no changes needed.
  16. No subdomain-takeover risk
    Checks you have no abandoned subdomains an attacker could claim and use to impersonate your brand. It's correctly set up — no changes needed.
  17. No known vulnerable libraries
    Checks the third-party code your site relies on has no publicly known security holes that attackers actively exploit. It's correctly set up — no changes needed.
  18. Visitor data sent privately
    Makes sure personal details visitors enter are sent over a secure connection, never in plain text others could read. It's correctly set up — no changes needed.
  19. No behind-the-scenes AI details leak publicly
    Checks that the behind-the-scenes details of any AI used to build your pages — things like prompts, model names, or cost notes — aren't left visible in your page's code for anyone to read. It's correctly set up — no changes needed.

We also weighed these, and they're in good shape unless flagged in the findings above:

Growth & operations — 9 of 12 checks OK

Whether you have the tools to see what's working and run the business smoothly.

We confirmed 9 of 12 individual checks here; 1 check needs attention; 2 checks we couldn't confirm this run.

  1. ⚠️ Cookie-consent banner
    Asks visitors' permission before using tracking cookies, which many privacy laws require you to do. This one isn't in place yet — a worthwhile improvement to make when you can.
  2. Privacy policy present
    A page explaining how you handle visitors' data; customers expect it and it's often legally required. It's correctly set up — no changes needed.
  3. Behind a content-delivery and filtering service
    A service that speeds up your site worldwide and filters out malicious traffic before it reaches you. It's correctly set up — no changes needed.
  4. Health-check endpoint (a web address other tools can reach)
    A simple status address monitoring tools can ping to confirm your site is up, so you hear about outages fast. We couldn't confirm this on this run.
  5. Rate limiting in place
    Caps how many requests one source can make, protecting your site from abuse and overload. We couldn't confirm this on this run.

We also weighed these, and they're in good shape unless flagged in the findings above:

What to do next

In priority order — start at the top and work down.

  1. Revoke and replace the exposed key today, then move it somewhere it never ships to visitors' browsers.
  2. Protect your business email so messages can't be faked and your own account emails reach customers.
  3. Make your content visible to search engines and AI assistants by delivering it in the page's source.
  4. Add proof that people trust you — reviews, ratings, install counts, or familiar names — near the sign-up button.
  5. Ask permission before tracking, and get ready to run smoothly as you grow: alerts, a status page, and self-serve billing — plus a quick pass over the minor housekeeping notes.

What we couldn't fully check

Every review has limits — this was an automated check, not an exhaustive one. Here's what this run could NOT fully assess, and exactly why; re-running covers these: