# TrustedSite (Certified Secure) trustmark — setup steps

TrustedSite (formerly McAfee SECURE) gives a free, embeddable "Certified Secure"
trustmark after a daily malware/blocklist scan. The signup is an interactive
SaaS onboarding (email + account + ToS) that must be done by a human; everything
else is pre-staged here so finishing is ~2 minutes.

## What's already staged
1. **Trustmark mount point** in `site/src/components/TrustStrip.astro` — a
   commented `<!-- TRUSTEDSITE_TRUSTMARK -->` slot + an opt-in `trustedsite` prop.
2. **Verification-file location**: drop their `.html`/`.txt` verification file in
   `site/public/` (served at the web root verbatim by Astro).
3. This doc.

## Steps for Justin
1. Go to https://www.trustedsite.com/ → "Get Started" (free Certified Secure
   tier). Sign up with `security@performancewest.net` (or your preferred inbox).
2. Add site `performancewest.net`. Verify ownership — they offer either:
   - **Meta tag**: copy the `<meta name="trustedsite-..." content="...">` →
     paste into `site/src/layouts/Base.astro` `<head>` (next to the other
     `<meta>` tags around line 33), **or**
   - **File upload**: download their verification file → put it in
     `site/public/` and redeploy. (Astro copies public/ to the web root.)
3. After they finish the first scan (usually <24h) they give a **trustmark
   snippet** (a small `<script>` + an `<a>`/`<img>`). Paste the script into
   `Base.astro` `<head>` and the badge markup into the
   `<!-- TRUSTEDSITE_TRUSTMARK -->` slot in `TrustStrip.astro`. Set the page(s)
   to `<TrustStrip trustedsite />` if you want it gated to specific pages.
4. **CSP update (REQUIRED)** — the trustmark loads from TrustedSite's CDN, so add
   their host to the nginx CSP in `/etc/nginx/snippets/pw-security.conf` on the
   prod host:
   - `script-src`: add `https://cdn.ywxi.net https://www.trustedsite.com`
   - `img-src` already allows `https:` (ok)
   - `frame-src`: add `https://cdn.ywxi.net` if their seal uses an iframe
   Then `sudo nginx -t && sudo systemctl reload nginx`.
5. Redeploy the site (`./deploy.sh site`) and confirm the trustmark renders.

## Notes
- Keep it honest: only show the trustmark once the first scan passes.
- The seal is reputation-sensitive; if a scan ever fails, TrustedSite hides it
  automatically (no action needed from us).