Web Presence Quality

Web Presence Quality looks at the actual HTML your primary host returns and penalizes default web server pages (nginx welcome page, Apache test page), parked or placeholder pages, redirect-only primaries, and very thin content. The intent is narrow: an empty or default-hosting page should not get the same score as a hardened production site, so the rest of Web Application Security cannot inflate a score for a site that is functionally empty.

What this check is NOT: a SEO ranking, a brand judgment, or a content-quality marketing assessment. It only flags pages that look like default, empty, or placeholder hosting.

How the check works

Per primary host (apex and same-zone hosts that returned HTML), the check produces a score from 0.0 to 1.0:

• 1.0: real content. Visible text above the threshold, real <title>, no default or placeholder patterns.
• 0.35: thin content. Under 120 visible characters of text, body under 4KB, no real title.
• 0.0: default server page (nginx welcome page, Apache default, IIS welcome).
• 0.0: parked or placeholder page ("coming soon", "this domain is for sale", parked-domain templates) when the page also has placeholder-like shape (low text, small body, no real title).
• 0.0: redirect-only primary (3xx response with under 40 characters of body text).

Per-host scores are weighted (apex weighted highest), averaged, and mapped to a verdict.

How the verdict maps to evidence

• Pass (low): weighted score at or above 0.9.
• Warn (medium): 0.55 to under 0.9.
• Fail (high): under 0.55.

The evidence shows host_rows for each primary host with the per-host score, status code, title, character count, and any matched reason codes. Aggregate counters tally how many hosts hit each reason.

Fix by reason code

default_server_page (high severity)

Your host is serving the unmodified default page from the web server distribution: nginx "Welcome to nginx!", Apache "It works!" or 2.4 default test page, IIS welcome screen, or similar. This usually means a server was provisioned for an application that never deployed, or a container started without your app config.

• Deploy your actual application to the host, or
• If the host is unused, take it offline and remove the DNS pointing at it.

parked_or_placeholder_site (high severity)

The page matches placeholder/parked patterns (coming-soon templates, domain-for-sale pages, registrar default landing pages) AND has placeholder-like shape (low text, small body). Typical sources: a registrar's parking page, a static "under construction" placeholder from before launch, or a marketing page that was never built out.

• Replace with your real application or an intentional holding page that has real content (an actual product page, an explanation of what the domain is for, contact information).
• If the domain is genuinely a non-public placeholder, accept the score; the check is being honest about what is published.

redirect_only_primary (medium severity)

The primary host returns a 3xx redirect with almost no body. The check sees no real content because the actual content lives at the redirect target.

• If the redirect bounces traffic to a sibling host (yourdomain.tld to www.yourdomain.tld), this is normal but currently penalized. Future versions of the check may follow same-zone redirects automatically.
• If the redirect goes to an entirely different domain (yourdomain.tld to yourbrand.com), the check should return N/A instead of redirect_only. If you see redirect_only_primary on a cross-domain redirect, file a scan-side issue.
• If the redirect was unintended, fix the redirect target or remove the redirect.

thin_web_presence (medium severity)

The page loaded but contains under 120 visible characters of text, under 4KB total body, and no real <title>. Typical of bare templates, single-line splash pages, or accidentally-deployed under-construction pages.

• Add meaningful HTML: a real <title>, a paragraph or two of visible text, basic structure. Even 200 to 300 characters of real content moves you out of thin-presence territory.
• If this is a bare API host that intentionally serves minimal HTML, treat the warn as a known false positive specific to API-only hosts.

web_primary_probe_unreachable (high severity)

The web probe could not reach the primary host at all (no HTTP response, transport failure, or upstream error). Fix Web Assessability first; this check picks up automatically once the probe succeeds.

web_presence_quality_reduced (fallback)

The score was less than 1.0 but no specific reason code matched. This usually happens when a host scored on the boundary of multiple thresholds. Review the host_rows directly: text_chars, body_bytes_captured, and title fields show what the page looked like.

Special states

Not Applicable

If your apex redirects to a different domain (yourdomain.tld to yourbrand.com), this check returns N/A and the redirect target is scored on its own scan. Audit whether the redirect is intentional.

Inconclusive

If no web probe ran, or every primary probe failed to return observable HTML (WAF block, transport failures, upstream errors), the check returns inconclusive with no score. Fix Web Assessability first.

Verify the fix

• curl -sL https://yourdomain.tld | wc -c gives a rough body size.
• curl -sL https://yourdomain.tld | grep -iE '<title>|coming soon|under construction|welcome to nginx|it works' looks for the patterns that trigger the check.
• Open the page in a browser and confirm it has real content, a real title, and no parked-domain branding.
• Re-run the RedScore lookup. The verdict moves to pass when the weighted host score reaches 0.9.

Common pitfalls

• Adding all the right security headers to a nginx default page. The headers will pass; this check still fails because the page is empty. Headers without content do not score as production-grade.
• Treating thin_web_presence as a content-marketing problem. The check only requires real HTML structure, not great copy. 200 to 300 characters of plain text and a real title is enough.
• Cross-domain redirects flagged as redirect_only. Should be N/A. If you see redirect_only on a cross-domain redirect, the apex redirect detection did not fire as expected; verify with curl -ILs https://yourdomain.tld.
• Same-zone redirects (apex to www) currently count as redirect_only. Until the check follows same-zone redirects, the practical fix is to serve real content at the apex too (even a thin landing page).
• Registrar default landing pages. If your domain registrar's parking page is still showing, you have not pointed DNS at your real host. Update DNS.
• Holding pages with no real content. "Coming soon" with no other text triggers placeholder detection. Add real text describing the project, contact info, or expected launch date.