Security Indicators
security-indicators
What this datapoint measures
HTTPS implementation, TLS certificate validity, security-header presence, and absence of mixed-content or other security warnings. Whether the site presents to AI systems as a secure, properly-configured property.
Security indicators matter for AI-mediated discovery because some AI systems decline to retrieve content from sites with security issues, and brands with security warnings lose user trust at the moment of click-through. A brand’s security posture is part of its credibility in the AI’s evaluation.
What high looks like
- HTTPS on all pages with valid TLS certificate from a recognized CA
- Certificate covers all subdomains in scope or appropriate wildcard
- HSTS header present with appropriate max-age
- Content-Security-Policy header present and configured correctly
- X-Content-Type-Options, X-Frame-Options, Referrer-Policy headers present
- No mixed-content warnings (HTTPS pages loading HTTP resources)
- Certificate not nearing expiration
What low looks like
- HTTPS implemented but with self-signed or expired certificate
- HTTPS available but HTTP version still served on some pages
- Mixed-content warnings on substantial portions of the site
- Missing standard security headers
- HSTS not configured
What at floor looks like
A brand at floor on security-indicators presents as insecure or improperly secured. HTTP-only pages, expired certificates, mixed content, missing security headers. AI systems may decline to retrieve content; users following AI citations encounter browser security warnings; the brand’s credibility takes a measurable hit.
The remedy is engineering work, typically scoped within O-4 or O-7. The work is not large in effort but requires coordination with whoever owns the certificate management, server configuration, and CDN settings.
What affects this datapoint
- TLS certificate validity, recognition, and coverage
- HTTP-to-HTTPS redirect implementation
- Security header presence (HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy)
- Mixed-content avoidance
- Certificate expiration cadence
- Subresource Integrity for third-party scripts where appropriate
OMG actions that influence this datapoint
| Action | Influence |
|---|---|
| O-4 Technical Infrastructure, Performance & International Foundation | Direct, primary. Security configuration is a core component of O-4. |
| O-7 Compliance & Trust Infrastructure | Substantial. O-7’s compliance work often surfaces security gaps that O-4 then remediates. |
Multilingual considerations
Security-indicators are language-neutral in implementation. However, multilingual sites with multiple subdomains or country-code top-level domains require certificate coverage across all of them. A brand whose primary domain has valid TLS but whose ja.brand.com subdomain has an expired certificate has a measurable security-indicator deficit on the Japanese variant specifically.
Common failure modes
- Certificate auto-renewal failure leaving the site with expired certificate for hours or days
- Mixed-content from third-party widgets, embedded videos, or analytics tags loaded over HTTP
- HSTS not configured, leaving the site vulnerable to TLS-stripping attacks
- CSP configured incorrectly, breaking site functionality, and then disabled rather than fixed
- Subdomains without certificate coverage
- Country-domain certificates from less-recognized CAs
Diagnostic interpretation
Security-indicators at floor is a near-universal red flag. Modern web properties should not present as insecure. Remediation is high-priority and usually quick.
Security-indicators at low with HSTS missing but HTTPS otherwise correct indicates partial implementation. The remedy is to complete the security-header configuration.
Security-indicators at high with trust-signals (V3.2) at low indicates a brand with technically secure infrastructure but weak trust-signaling content. The two are independent; O-7 work may improve both.