Skip to main content

Website Trust Glossary

Clear definitions of the terms behind website trust, security, performance and SEO.

#

301 Redirect
A permanent redirect that sends users and search engines to a new URL and transfers ranking signals. Used for HTTPS and URL migrations. Read more: HTTP to HTTPS Redirects: Doing the Migration Right →
404 Not Found
An HTTP status meaning the requested page does not exist. Read more: 404 Errors: What "Not Found" Means and How to Handle It →
410 Gone
An HTTP status explicitly signalling that a resource has been permanently removed. Read more: 404 Errors: What "Not Found" Means and How to Handle It →
500 Internal Server Error
An HTTP status indicating the server hit an unexpected error and could not complete the request. Read more: 500 Errors: When the Server Breaks →
503 Service Unavailable
An HTTP status meaning the server is temporarily unavailable, often due to overload or maintenance. Pair with Retry-After. Read more: 500 Errors: When the Server Breaks →

A

Accessibility (a11y)
Designing sites so people with disabilities can perceive, navigate and use them. Overlaps strongly with usability and SEO. Read more: Web Accessibility Basics: Building Sites Everyone Can Use →
ACME
Automatic Certificate Management Environment — the protocol (used by Let's Encrypt and Certbot) that automates issuing and renewing certificates. Read more: Certificate Expiry: Why It Breaks Sites and How to Prevent It →
AEO (Answer/AI Engine Optimisation)
Optimising content so AI assistants and answer engines can find, understand, trust and cite it — extending SEO with clear answers, structure and trust signals. Read more: How to Optimise for AI Search (AEO) →
AI Search
Search experiences where an AI assistant returns a synthesised answer with a few cited sources, rather than a list of links. Read more: AI Search vs Google Search: What Is Changing →
Alt Text
A written description of an image, set via the alt attribute, used by screen readers and search engines. Read more: Alt Text: Describing Images for People and Search Engines →
ARIA
Accessible Rich Internet Applications — attributes that convey roles and states to assistive technology when native HTML is insufficient. Read more: Web Accessibility Basics: Building Sites Everyone Can Use →

B

Broken Link
A link pointing to a page or resource that no longer exists, typically returning a 404 error. Read more: Broken Links: Finding and Fixing Dead Ends →
Brotli
A compression algorithm for text files that typically outperforms Gzip by 15–25%, enabled at the server or CDN. Read more: Gzip and Brotli: Compressing Text for Faster Downloads →

C

CAA Record
Certification Authority Authorization — a DNS record specifying which certificate authorities may issue TLS certificates for a domain. Read more: CAA Records: Controlling Who Can Issue Your Certificates →
Caching
Storing computed or fetched data for reuse so repeated requests are served faster without redoing the work. Read more: Website Response Time: Why Speed Builds Trust →
Canonical URL
The preferred URL for a piece of content, declared with rel="canonical" to consolidate duplicate URLs and their ranking signals. Read more: Canonical URLs: Telling Search Engines Which Page Is the Original →
CDN
Content Delivery Network — a globally distributed set of servers that serve content from close to each user, improving speed. Read more: Time To First Byte (TTFB): The First Speed Metric That Matters →
Certificate Authority (CA)
A trusted organisation that issues and signs TLS certificates. Browsers trust certificates that chain back to a recognised CA. Read more: How SSL Certificates Work: The Chain of Trust →
Chain of Trust
The linked sequence from your certificate through intermediate certificates up to a trusted root, which is how browsers decide a certificate is valid. Read more: How SSL Certificates Work: The Chain of Trust →
Cipher Suite
A named set of cryptographic algorithms a server and browser agree to use for a TLS connection. Modern, strong cipher suites are essential for security. Read more: What Is TLS? Transport Layer Security Explained →
Click-Through Rate (CTR)
The percentage of people who click your result after seeing it. Strong titles and descriptions raise CTR. Read more: Meta Descriptions: Your Free Ad in the Search Results →
Clickjacking
Tricking a user into clicking something different from what they perceive, often by framing a real site invisibly. Blocked by X-Frame-Options. Read more: X-Frame-Options: Preventing Clickjacking →
Compliance
Meeting legal and regulatory expectations such as privacy policies, cookie consent and accessibility standards. Read more: Privacy Policies: What Every Website Needs and Why →
Consent
Freely given, informed agreement to set non-essential cookies or process data. Must be as easy to refuse as to give. Read more: Cookie Policies and Consent: Getting It Right →
Content Security Policy (CSP)
A header that whitelists which sources may load scripts, styles and other content, strongly mitigating cross-site scripting. Read more: Content Security Policy (CSP): Stop XSS at the Browser →
Cookie
A small file a site stores in the browser. Non-essential cookies (analytics, ads) require consent under most privacy laws. Read more: Cookie Policies and Consent: Getting It Right →
Core Web Vitals
Google's three user-experience metrics: LCP (loading), INP (responsiveness) and CLS (visual stability). Read more: Core Web Vitals: Measuring Real User Experience →
CORS
Cross-Origin Resource Sharing — HTTP headers that let a server declare which other origins a browser may allow to read its responses. Read more: CORS: Sharing Resources Across Origins Safely →
Crawler
An automated bot (like Googlebot) that fetches web pages to index them or check them. Also called a spider. Read more: robots.txt: Guiding Crawlers Without Blocking Your Site →
Cross-Origin Isolation
A hardened browsing context created by combining COOP and COEP, required to enable powerful browser features like SharedArrayBuffer. Read more: Cross-Origin-Embedder-Policy (COEP): Controlling What You Embed →
Cross-Origin-Embedder-Policy (COEP)
A response header requiring cross-origin resources to explicitly opt in to being embedded, working with COOP to enable cross-origin isolation. Read more: Cross-Origin-Embedder-Policy (COEP): Controlling What You Embed →
Cross-Origin-Opener-Policy (COOP)
A response header that isolates a page from windows it opens or that open it, defending against cross-window attacks and enabling cross-origin isolation. Read more: Cross-Origin-Opener-Policy (COOP): Isolating Your Browsing Context →
Cross-Origin-Resource-Policy (CORP)
A response header declaring which origins may embed a resource (same-origin, same-site or cross-origin), protecting assets and limiting side-channel exposure. Read more: Cross-Origin-Resource-Policy (CORP): Who May Embed Your Resources →
Cross-Site Request Forgery (CSRF)
An attack that tricks a logged-in user's browser into making an unwanted state-changing request. Mitigated by SameSite cookies and CSRF tokens. Read more: Cookie Security: Secure, HttpOnly and SameSite Explained →
Cross-Site Scripting (XSS)
An attack that injects malicious scripts into a web page viewed by others. Content Security Policy is a key defence. Read more: Content Security Policy (CSP): Stop XSS at the Browser →
Cumulative Layout Shift (CLS)
A Core Web Vital measuring unexpected layout movement. Good is 0.1 or less. Read more: Core Web Vitals: Measuring Real User Experience →

D

Data Processor
A third party that processes personal data on your behalf, such as an analytics or email provider. Must be disclosed in your privacy policy. Read more: Privacy Policies: What Every Website Needs and Why →
DKIM
DomainKeys Identified Mail — a cryptographic signature added to outgoing email and verified via a public key in DNS, proving the message is genuine and unaltered. Read more: DKIM: Cryptographically Signing Your Email →
DMARC
A DNS policy that tells receiving mail servers how to handle messages failing SPF/DKIM checks, protecting against spoofing. Read more: DMARC: The Policy That Ties Email Authentication Together →
DNS
Domain Name System — translates domain names into IP addresses and holds records that route email and prove identity. Read more: What Is DNS? How Domain Names Become Websites →
DNS TXT Record
A DNS record holding free-form text, used for SPF, DKIM, DMARC and domain-verification values. Read more: SPF Records: Stopping Others From Spoofing Your Email →
Duplicate Content
The same content reachable at multiple URLs, which can split ranking signals. Canonical tags and redirects resolve it. Read more: Canonical URLs: Telling Search Engines Which Page Is the Original →

E

Encryption
Encoding data so only authorised parties can read it. HTTPS encrypts web traffic so eavesdroppers cannot read or tamper with it. Read more: What Is HTTPS and Why Does Your Website Need It? →
Entity
A distinct thing (a business, person, product or concept) that search engines and AI recognise and connect using consistent signals across the web. Read more: How AI Evaluates Websites →
ETag
An HTTP response header identifying a specific version of a resource, enabling efficient 304 Not Modified revalidation. Read more: Cache-Control Headers: Making Repeat Visits Fast →

F

Featured Snippet
A concise answer a search engine extracts and displays at the top of results; clear quick-answer content improves eligibility. Read more: AI Search vs Google Search: What Is Changing →

G

Gateway
An intermediary server (proxy or load balancer) that forwards requests. 502/504 errors relate to gateway failures. Read more: 500 Errors: When the Server Breaks →
GDPR
The EU/UK General Data Protection Regulation governing how personal data is collected and processed, with strict transparency and consent rules. Read more: Privacy Policies: What Every Website Needs and Why →
GEO (Generative Engine Optimisation)
Another name for optimising to be surfaced and cited by generative AI answer engines; overlaps heavily with AEO. Read more: How to Optimise for AI Search (AEO) →
Gzip
A widely supported compression format for text-based HTTP responses such as HTML, CSS and JavaScript. Read more: Gzip and Brotli: Compressing Text for Faster Downloads →

H

HSTS
HTTP Strict Transport Security — a header telling browsers to only ever connect over HTTPS, preventing downgrade attacks. Read more: HSTS: HTTP Strict Transport Security Explained →
HTTP
Hypertext Transfer Protocol — the foundational protocol for exchanging web pages. Unlike HTTPS, plain HTTP is unencrypted. Read more: HTTP Status Codes: The Web's Vocabulary of Success and Failure →
HTTP Status Code
A three-digit code describing the result of a request: 2xx success, 3xx redirect, 4xx client error, 5xx server error. Read more: HTTP Status Codes: The Web's Vocabulary of Success and Failure →
HTTP/2
A modern HTTP version that multiplexes many requests over one connection and compresses headers, reducing latency versus HTTP/1.1. Read more: HTTP/2 and HTTP/3: Faster Connections for the Modern Web →
HTTP/3
The latest HTTP version, running over QUIC (UDP) for faster connection setup and better performance on unreliable networks. Read more: HTTP/2 and HTTP/3: Faster Connections for the Modern Web →
HttpOnly Cookie
A cookie marked HttpOnly so it cannot be read by JavaScript, limiting theft via cross-site scripting. Read more: Cookie Security: Secure, HttpOnly and SameSite Explained →
HTTPS
The secure version of HTTP. It encrypts traffic between browser and server using TLS, shown by the padlock in the address bar. Read more: What Is HTTPS and Why Does Your Website Need It? →

I

Interaction to Next Paint (INP)
A Core Web Vital measuring responsiveness to user input. Good is 200 milliseconds or less. Read more: Core Web Vitals: Measuring Real User Experience →

L

Largest Contentful Paint (LCP)
A Core Web Vital measuring how long until the largest visible element renders. Good is 2.5 seconds or less. Read more: Core Web Vitals: Measuring Real User Experience →
lastmod
A sitemap field indicating when a URL was last modified, helping crawlers prioritise changed pages. Read more: XML Sitemaps: Helping Search Engines Find Everything →
Lazy Loading
Deferring the download of off-screen images until the user scrolls near them, saving bandwidth and speeding initial load. Read more: Image Optimization: The Biggest Easy Win for Page Speed →
LLM (Large Language Model)
A machine-learning model trained on large amounts of text that powers AI assistants like ChatGPT, Gemini and Claude. Read more: AI and Website Trust: Why It Matters More Than Ever →

M

Meta Description
A short page summary search engines may show as the results snippet. It influences click-through, not ranking directly. Read more: Meta Descriptions: Your Free Ad in the Search Results →
Meta Title
The <title> tag shown as the headline in search results and browser tabs — a key on-page SEO and click-through factor. Read more: Meta Titles: The Most Important On-Page SEO Element →
MIME Sniffing
When a browser guesses a file's type instead of trusting the declared Content-Type. X-Content-Type-Options: nosniff disables it. Read more: X-Content-Type-Options: Stopping MIME Sniffing →
Mixed Content
Insecure HTTP resources loaded on an HTTPS page. Browsers block or downgrade them because they weaken the page's security. Read more: Mixed Content: When HTTPS Pages Load Insecure Resources →

N

noindex
A meta tag or header instructing search engines not to include a page in their index — the correct way to keep a page out of results. Read more: robots.txt: Guiding Crawlers Without Blocking Your Site →
Nonce
A one-time random token used in a CSP to mark specific inline scripts as trusted, avoiding the need for unsafe-inline. Read more: Content Security Policy (CSP): Stop XSS at the Browser →

O

OCSP
Online Certificate Status Protocol — a way to check whether a certificate has been revoked. OCSP stapling makes this fast and private. Read more: How SSL Certificates Work: The Chain of Trust →

P

Permissions-Policy
A header that enables or disables powerful browser features (camera, microphone, geolocation) for a page and its iframes. Read more: Permissions-Policy: Locking Down Powerful Browser Features →
Personal Data
Any information relating to an identifiable person, including names, emails, IP addresses and online identifiers. Read more: Privacy Policies: What Every Website Needs and Why →
Preflight Request
An automatic OPTIONS request a browser sends before certain cross-origin requests to check whether the actual request is allowed by CORS. Read more: CORS: Sharing Resources Across Origins Safely →
Privacy Policy
A page explaining what personal data a site collects, why, how it is used and protected, and users' rights. Read more: Privacy Policies: What Every Website Needs and Why →
Public Key
The shareable half of a key pair used in public-key cryptography. A certificate binds a public key to a domain name. Read more: SSL Certificates: A Plain-English Guide →

Q

QUIC
A transport protocol over UDP that HTTP/3 uses, combining connection setup and encryption for lower latency than TCP. Read more: HTTP/2 and HTTP/3: Faster Connections for the Modern Web →

R

RAG (Retrieval-Augmented Generation)
A technique where an AI retrieves live web pages or documents and uses them to generate and cite answers, rather than relying only on training data. Read more: How AI Evaluates Websites →
Referrer-Policy
A header that controls how much URL information is sent to other sites when users click links, protecting privacy. Read more: Referrer-Policy: Controlling What You Leak in Links →
Response Time
How long a server takes to begin returning a page. Slow responses delay everything the user sees. Read more: Website Response Time: Why Speed Builds Trust →
robots.txt
A root-level file that tells search-engine crawlers which paths they may request. It controls crawling, not indexing. Read more: robots.txt: Guiding Crawlers Without Blocking Your Site →
Root Certificate
A self-signed certificate from a Certificate Authority, pre-installed in browsers and operating systems, that anchors the chain of trust. Read more: How SSL Certificates Work: The Chain of Trust →

S

Same-Origin Policy
The default browser rule that stops a page on one origin from reading responses from another. CORS relaxes it in a controlled way. Read more: CORS: Sharing Resources Across Origins Safely →
SameSite
A cookie attribute (Strict, Lax or None) controlling whether a cookie is sent on cross-site requests, defending against CSRF. Read more: Cookie Security: Secure, HttpOnly and SameSite Explained →
SAN Certificate
A certificate with a Subject Alternative Name field listing multiple hostnames, letting one certificate cover several domains or subdomains. Read more: Wildcard and SAN Certificates: Securing Multiple Names →
Screen Reader
Software that reads on-screen content aloud for blind and low-vision users, relying on semantic HTML and alt text. Read more: Alt Text: Describing Images for People and Search Engines →
Secure Cookie
A cookie marked Secure so the browser only sends it over HTTPS, preventing exposure on plain HTTP. Read more: Cookie Security: Secure, HttpOnly and SameSite Explained →
Security Header
An HTTP response header that instructs the browser to enforce a protection, such as HSTS, CSP or X-Frame-Options. Read more: HTTP Security Headers: The Complete Overview →
Self-Signed Certificate
A TLS certificate signed by its own key rather than a trusted CA. It encrypts traffic but browsers do not trust it, so it triggers warnings on public sites. Read more: Self-Signed Certificates: When They Help and When They Hurt →
SERP
Search Engine Results Page — the list of results a search engine returns for a query. Read more: Meta Titles: The Most Important On-Page SEO Element →
Soft 404
A page that says "not found" but returns a 200 OK status, confusing search engines into indexing empty pages. Read more: 404 Errors: What "Not Found" Means and How to Handle It →
SPF
Sender Policy Framework — a DNS TXT record listing which servers may send email for your domain, reducing spoofing. Read more: SPF Records: Stopping Others From Spoofing Your Email →
SSL
Secure Sockets Layer — the deprecated predecessor to TLS. "SSL certificate" persists in everyday language even though TLS is what is actually used. Read more: SSL Certificates: A Plain-English Guide →
SSL Stripping
An attack that downgrades a secure connection to plain HTTP so traffic can be intercepted. HSTS defends against it. Read more: HSTS: HTTP Strict Transport Security Explained →
Structured Data
Machine-readable labels (schema.org markup) that describe a page's content — such as articles, FAQs and organisations — helping search engines and AI interpret it accurately. Read more: How to Optimise for AI Search (AEO) →
Subresource Integrity (SRI)
A security feature that lets browsers verify a fetched script or stylesheet matches an expected hash, guarding against tampered CDN files. Read more: Subresource Integrity: Verifying Third-Party Scripts →
Supply-Chain Attack
An attack that compromises a trusted third-party dependency (such as a CDN-hosted script) to reach the sites that rely on it. Read more: Subresource Integrity: Verifying Third-Party Scripts →

T

Time To First Byte (TTFB)
The time from sending a request to receiving the first byte of the response, covering DNS, connection, TLS and server processing. Read more: Time To First Byte (TTFB): The First Speed Metric That Matters →
TLS
Transport Layer Security — the cryptographic protocol that encrypts modern web connections. The successor to SSL and the technology behind HTTPS. Read more: What Is TLS? Transport Layer Security Explained →
TLS Handshake
The negotiation at the start of a secure connection where the browser and server agree on encryption, verify the certificate and establish session keys. Read more: What Is TLS? Transport Layer Security Explained →
Trust Score
A single 0–100 figure summarising how secure, compliant and credible a website appears, weighted by issue severity. Read more: What Is a Website Trust Score? →
TTL
Time To Live — how long a DNS record (or cache entry) may be cached before being refreshed. Governs how fast DNS changes propagate. Read more: What Is DNS? How Domain Names Become Websites →

U

Uptime
The proportion of time a site is available and reachable. Monitoring tracks it and alerts on outages. Read more: Website Monitoring: Catching Problems Before Customers Do →

V

VPAT
Voluntary Product Accessibility Template — a document stating how a product conforms to accessibility standards like WCAG. Read more: WCAG Explained: The Web Accessibility Standard →

W

WCAG
Web Content Accessibility Guidelines — the international accessibility standard with levels A, AA and AAA. Most target AA. Read more: WCAG Explained: The Web Accessibility Standard →
WebP
A modern image format that typically produces smaller files than JPEG or PNG at similar visual quality. Read more: Image Optimization: The Biggest Easy Win for Page Speed →
Website Monitoring
Automated, repeated checking of a site for uptime, certificate expiry and trust regressions, with alerts on problems. Read more: Website Monitoring: Catching Problems Before Customers Do →
Website Trust
The combined impression of security, compliance, performance and transparency that makes a site appear safe and legitimate. Read more: What Is Website Trust? The Signals That Make Visitors Believe You →
Wildcard Certificate
A certificate that secures all subdomains of a domain (e.g. *.example.com), so one certificate covers blog, shop and more. Read more: SSL Certificates: A Plain-English Guide →

X

X-Content-Type-Options
A header whose nosniff value stops browsers from guessing content types, preventing MIME-sniffing attacks. Read more: X-Content-Type-Options: Stopping MIME Sniffing →
X-Frame-Options
A header controlling whether your pages can be embedded in frames, preventing clickjacking. Superseded by CSP frame-ancestors. Read more: X-Frame-Options: Preventing Clickjacking →
XML Sitemap
A file listing the URLs you want indexed, helping search engines discover pages quickly. Read more: XML Sitemaps: Helping Search Engines Find Everything →