41 lines
2.3 KiB
Markdown
41 lines
2.3 KiB
Markdown
# TrustedSite (Certified Secure) trustmark — setup steps
|
|
|
|
TrustedSite (formerly McAfee SECURE) gives a free, embeddable "Certified Secure"
|
|
trustmark after a daily malware/blocklist scan. The signup is an interactive
|
|
SaaS onboarding (email + account + ToS) that must be done by a human; everything
|
|
else is pre-staged here so finishing is ~2 minutes.
|
|
|
|
## What's already staged
|
|
1. **Trustmark mount point** in `site/src/components/TrustStrip.astro` — a
|
|
commented `<!-- TRUSTEDSITE_TRUSTMARK -->` slot + an opt-in `trustedsite` prop.
|
|
2. **Verification-file location**: drop their `.html`/`.txt` verification file in
|
|
`site/public/` (served at the web root verbatim by Astro).
|
|
3. This doc.
|
|
|
|
## Steps for Justin
|
|
1. Go to https://www.trustedsite.com/ → "Get Started" (free Certified Secure
|
|
tier). Sign up with `security@performancewest.net` (or your preferred inbox).
|
|
2. Add site `performancewest.net`. Verify ownership — they offer either:
|
|
- **Meta tag**: copy the `<meta name="trustedsite-..." content="...">` →
|
|
paste into `site/src/layouts/Base.astro` `<head>` (next to the other
|
|
`<meta>` tags around line 33), **or**
|
|
- **File upload**: download their verification file → put it in
|
|
`site/public/` and redeploy. (Astro copies public/ to the web root.)
|
|
3. After they finish the first scan (usually <24h) they give a **trustmark
|
|
snippet** (a small `<script>` + an `<a>`/`<img>`). Paste the script into
|
|
`Base.astro` `<head>` and the badge markup into the
|
|
`<!-- TRUSTEDSITE_TRUSTMARK -->` slot in `TrustStrip.astro`. Set the page(s)
|
|
to `<TrustStrip trustedsite />` if you want it gated to specific pages.
|
|
4. **CSP update (REQUIRED)** — the trustmark loads from TrustedSite's CDN, so add
|
|
their host to the nginx CSP in `/etc/nginx/snippets/pw-security.conf` on the
|
|
prod host:
|
|
- `script-src`: add `https://cdn.ywxi.net https://www.trustedsite.com`
|
|
- `img-src` already allows `https:` (ok)
|
|
- `frame-src`: add `https://cdn.ywxi.net` if their seal uses an iframe
|
|
Then `sudo nginx -t && sudo systemctl reload nginx`.
|
|
5. Redeploy the site (`./deploy.sh site`) and confirm the trustmark renders.
|
|
|
|
## Notes
|
|
- Keep it honest: only show the trustmark once the first scan passes.
|
|
- The seal is reputation-sensitive; if a scan ever fails, TrustedSite hides it
|
|
automatically (no action needed from us).
|