Open navigation menu
Website Scanning Basics
Website scanning reviews observable public pages for structured signals such as tracking requests, cookies, consent controls, accessibility issues, policy pages, and disclosure gaps. CertScore.ai uses those observations to produce reviewable findings rather than legal conclusions.
What does an automated website scan review?
Website scanning reviews observable public pages for structured signals such as tracking requests, cookies, consent controls, accessibility issues, policy pages, and disclosure gaps. CertScore.ai uses those observations to produce reviewable findings rather than legal conclusions.
CertScore.ai approaches this topic as a question of observable website signals. It helps teams surface structured findings and track change over time, but it does not provide legal advice or certification.
Why it matters
Public websites change constantly as teams add scripts, plugins, landing pages, forms, and policy content.
A repeatable scan gives teams a consistent record of what was observed and what may deserve review.
Structured findings help route work to privacy, marketing, engineering, accessibility, or legal-review owners.
Common issues websites have
Teams rely on a one-time pre-release review even though tag-manager and CMS changes continue after release.
Cookie, consent, accessibility, and disclosure findings are reviewed separately with no shared evidence trail.
Manual checks miss page templates or vendor behavior that only appears in runtime evidence.
Examples of problems
A scan may observe analytics requests during initial page load, a visible cookie banner, and a privacy policy footer link.
It may also surface accessibility signals such as contrast, labeling, or image-alt issues on public templates.
Policy and disclosure checks can identify missing or thin public explanations that need human review.
How automated scanning supports review
Automated scanning is strongest when it records evidence consistently and exposes the underlying JSON for review.
It should identify uncertainty, coverage limits, and retained snippets rather than hiding them behind a simple score.
Teams can compare repeated scans to see whether changes improved the observed public behavior.
How CertScore.ai helps
CertScore.ai combines privacy, cookie, consent, accessibility, policy, and disclosure signals in one public-site scan.
It groups findings by business-readable issue type and includes representative JSON evidence.
The output is designed for operational triage and monitoring, not for certification or legal advice.
Use this guide as a checklist
Read the guide, then run a scan to see whether similar signals appear on a live site.
What the scan may surface here
The scan could summarize several findings across tracking, cookies, accessibility, policy, and disclosure review categories.
Sample finding JSON from scans
Representative payloads showing the structured evidence CertScore.ai can surface for this guide topic.
Website scan surfaced multiple review signals
website_signal_review_summary
Redacted illustrative example
Website scan surfaced multiple review signals
website_signal_review_summary
Redacted illustrative example
{
"example_type": "positive",
"domain": "example.com",
"requested_url": "https://example.com/",
"final_url": "https://example.com/",
"created_at": "2026-04-29T20:16:22.012Z",
"scanned_at": "2026-04-29T20:17:08.840Z",
"finding_id": "website_signal_review_summary",
"finding_label": "Website scan surfaced multiple review signals",
"section": "Website Signals",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"evidence": {
"counts": {
"finding_count": 4,
"privacy_tracking_count": 1,
"cookie_storage_count": 1,
"accessibility_count": 1,
"policy_disclosure_count": 1
},
"evidence_snippets": [
"Scan completed for homepage and selected linked pages.",
"Findings grouped across privacy tracking, cookies, accessibility, and policy/disclosure review.",
"Use finding-level JSON to inspect each retained evidence payload."
],
"vendors": [
"Google Analytics"
],
"request_domains": [
"www.google-analytics.com"
],
"request_samples": [],
"cookie_samples": [],
"runtime_anchors": [
"homepage_status:200",
"linked_pages_sampled:3"
]
},
"coverage_flags": [],
"known_limitations": [],
"selection_reason": "Representative overview payload for a completed website signal scan.",
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [
"homepage_status:200",
"linked_pages_sampled:3"
],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Website Signals",
"criticality": "review",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Retained evidence supports the finding under the canonical concern/policy/unified-finding pipeline."
],
"highConfidenceRequires": [
"Corroborated retained evidence and usable coverage."
],
"criticalOrTopRankingRequires": [
"Stronger directness, corroboration, affected surface, and review relevance."
],
"demoteOrSuppressWhen": [
"Evidence is ambiguous, unsupported, blocked, or audit-only."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Representative overview payload for a completed website signal scan."
}Representative accessibility barriers detected
accessibility_risk_score
Redacted illustrative example
Representative accessibility barriers detected
accessibility_risk_score
Redacted illustrative example
{
"example_type": "positive",
"domain": "example.com",
"requested_url": "https://example.com/",
"final_url": "https://example.com/",
"created_at": "2026-03-26T22:35:06.747Z",
"scanned_at": "2026-03-26T22:35:52.641Z",
"finding_id": "accessibility_risk_score",
"finding_label": "Representative accessibility barriers detected",
"section": "Accessibility",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"evidence": {
"counts": {
"count": 1,
"representativeAxeExampleCount": 1,
"representativeAxePageCount": 1,
"representativeAxeRuleCount": 1
},
"evidence_snippets": [
"Axe example: color-contrast/color on https://example.com/; selector footer > p; nodes 1; impact Low-vision users may struggle to read text or distinguish controls.; severity high; help: Elements must meet minimum color contrast ratio thresholds.",
"Representative axe examples: 1 rule across 1 page; max impact: Low-vision users may struggle to read text or distinguish controls.."
],
"vendors": [],
"request_domains": [],
"request_samples": [],
"cookie_samples": [],
"consent_summary": {
"preconsent_tracking_detected": false,
"banner_present": false,
"reject_all_present": false
},
"fingerprinting_or_device_signals": {
"fingerprinting_vendor_detected": false,
"device_signal_vendor_detected": null
},
"runtime_anchors": []
},
"coverage_flags": [
"partial_scan",
"blocked",
"incomplete_pages"
],
"known_limitations": [
"Scan coverage issue: partial_scan",
"Scan coverage issue: blocked",
"Scan coverage issue: incomplete_pages"
],
"selection_reason": "Surfaced finding with strong support. Mapped to executive finding accessibility_risk_score (good, direct). Evidence richness score: 9.",
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Accessibility",
"criticality": "review",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [
"partial_scan",
"blocked",
"incomplete_pages"
],
"coverageReliableForTopRanking": false,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Retained evidence supports the finding under the canonical concern/policy/unified-finding pipeline."
],
"highConfidenceRequires": [
"Corroborated retained evidence and usable coverage."
],
"criticalOrTopRankingRequires": [
"Stronger directness, corroboration, affected surface, and review relevance."
],
"demoteOrSuppressWhen": [
"Evidence is ambiguous, unsupported, blocked, or audit-only."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Surfaced finding with strong support. Mapped to executive finding accessibility_risk_score (good, direct). Evidence richness score: 9."
}Privacy policy topic coverage appears limited
privacy_policy_thin_coverage
Redacted illustrative example
Privacy policy topic coverage appears limited
privacy_policy_thin_coverage
Redacted illustrative example
{
"example_type": "positive",
"domain": "example.com",
"requested_url": "https://example.com/",
"final_url": "https://example.com/",
"created_at": "2026-04-29T17:04:20.612Z",
"scanned_at": "2026-04-29T17:05:11.219Z",
"finding_id": "privacy_policy_thin_coverage",
"finding_label": "Privacy policy topic coverage appears limited",
"section": "Privacy & Disclosures",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"evidence": {
"counts": {
"policy_page_count": 1,
"topic_signal_count": 2,
"missing_topic_count": 3
},
"evidence_snippets": [
"Privacy policy page detected from footer link.",
"Observed topic signals: cookies, third_party.",
"Thin coverage: expected personal-data, contact, and opt-out language were not observed in the retained policy text."
],
"policy_summary": {
"policy_page_detected": true,
"topic_signals": [
"cookies",
"third_party"
],
"thin_coverage": true
},
"vendors": [],
"request_domains": [],
"request_samples": [],
"cookie_samples": [],
"runtime_anchors": []
},
"coverage_flags": [],
"known_limitations": [],
"selection_reason": "Representative policy-page finding with retained topic-signal evidence.",
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Privacy & Disclosures",
"criticality": "review",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Retained evidence supports the finding under the canonical concern/policy/unified-finding pipeline."
],
"highConfidenceRequires": [
"Corroborated retained evidence and usable coverage."
],
"criticalOrTopRankingRequires": [
"Stronger directness, corroboration, affected surface, and review relevance."
],
"demoteOrSuppressWhen": [
"Evidence is ambiguous, unsupported, blocked, or audit-only."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Representative policy-page finding with retained topic-signal evidence."
}Related guides
Summary for AI assistants
This CertScore.ai guide explains website scanning basics as an observable public website signal for review. CertScore.ai scans public website behavior around tracking, cookies, consent, session recording indicators, fingerprinting-related signals, accessibility, and disclosures.
CertScore findings are automated risk signals supported by retained evidence; they are not legal advice, certification, or compliance determinations.