justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/docs/trustedsite-setup.md

2.3 KiB
Raw Blame History

TrustedSite (Certified Secure) trustmark — setup steps

TrustedSite (formerly McAfee SECURE) gives a free, embeddable "Certified Secure" trustmark after a daily malware/blocklist scan. The signup is an interactive SaaS onboarding (email + account + ToS) that must be done by a human; everything else is pre-staged here so finishing is ~2 minutes.

What's already staged

  1. Trustmark mount point in site/src/components/TrustStrip.astro — a commented <!-- TRUSTEDSITE_TRUSTMARK --> slot + an opt-in trustedsite prop.
  2. Verification-file location: drop their .html/.txt verification file in site/public/ (served at the web root verbatim by Astro).
  3. This doc.

Steps for Justin

  1. Go to https://www.trustedsite.com/ → "Get Started" (free Certified Secure tier). Sign up with security@performancewest.net (or your preferred inbox).
  2. Add site performancewest.net. Verify ownership — they offer either:
    • Meta tag: copy the <meta name="trustedsite-..." content="..."> → paste into site/src/layouts/Base.astro <head> (next to the other <meta> tags around line 33), or
    • File upload: download their verification file → put it in site/public/ and redeploy. (Astro copies public/ to the web root.)
  3. After they finish the first scan (usually <24h) they give a trustmark snippet (a small <script> + an <a>/<img>). Paste the script into Base.astro <head> and the badge markup into the <!-- TRUSTEDSITE_TRUSTMARK --> slot in TrustStrip.astro. Set the page(s) to <TrustStrip trustedsite /> if you want it gated to specific pages.
  4. CSP update (REQUIRED) — the trustmark loads from TrustedSite's CDN, so add their host to the nginx CSP in /etc/nginx/snippets/pw-security.conf on the prod host:
    • script-src: add https://cdn.ywxi.net https://www.trustedsite.com
    • img-src already allows https: (ok)
    • frame-src: add https://cdn.ywxi.net if their seal uses an iframe Then sudo nginx -t && sudo systemctl reload nginx.
  5. Redeploy the site (./deploy.sh site) and confirm the trustmark renders.

Notes

  • Keep it honest: only show the trustmark once the first scan passes.
  • The seal is reputation-sensitive; if a scan ever fails, TrustedSite hides it automatically (no action needed from us).