How this page works
This page is not a marketing FAQ; it is R50's knowledge architecture. The questions are real decision questions distilled from the guide's 39 sections, the executive brief and the technical trust note. Two principles hold in every answer. First, the number contract: 2,033 is not a check count but a reference catalog; the working check layer is 319, counted from code. Any sentence that blurs that split is banned on this site. Second, claim safety: no answer promises ranking, traffic, AI citation, a live pass or a security guarantee; the engine's job is readiness, evidence and classification — grades and decisions belong to independent tools and to your teams. Below come the twenty critical questions executives and engineers ask most, followed by twenty-three categories, each with a short description and an anchor link. Where an answer is not enough, it links to the relevant page and to a document in the Evidence Hub — because on this site every claim must attach to downloadable proof.
Use the page at two speeds. The fast path: type a word into the search box — 'rollback', '319', 'pentest' — and the list narrows instantly; the category chips jump to anchors, and sharing the #link in your address bar drops a colleague straight into that category. The deep path: start with the Critical 20, then open the categories in order — the sequence follows how an organisation actually asks: first 'what is this?', then the numbers, the modes, the boundaries, delivery and process. Wherever an answer is not enough, the destination is fixed: the relevant deep-dive page and the document in the Evidence Hub. If your question is missing, that is a gap we want closed — write via the contact page, and where appropriate the question joins this architecture in the next release, source attached.
How do you audit these answers? Three steps: read the deep-dive section on the page an answer points to; download the matching document from the Evidence Hub and compare its SHA-256 against the value on the page; then run the live claims — headers, sitemap, schema — through independent tools yourself. No answer on this site says 'trust us'; every answer points to evidence you can reproduce.
Claim safety
Nothing on this page is a guarantee: the engine produces readiness, evidence and classification; live scores are verified after deployment with independent tools.
CRITICAL 20
The most-asked, first
Q: What can it see without touching the live site?
A: All in-file signals in ZIP/local input: meta, schema, header readiness, accessibility markers, static security patterns.
Q: ZIP vs live-URL analysis?
A: ZIP shows file truth; live URL shows response truth; headers and redirects finalize only live.
Q: What if the site breaks after SafeFix?
A: The rollback manifest reverts in one step; the backup dir ships in the package.
Q: How is the rollback manifest used?
A: Copy files back from the backup dir; the changed/created lists guide you.
Q: Which changes need human approval?
A: Meaning-changing content, brand/voice decisions, legal text and the publish decision.
Q: Why isn't the 2,033 catalog automated checks?
A: The catalog is a signal map; a check is code the engine runs. The two are deliberately separate.
Q: Why is 319 the more accurate number?
A: Counted from code, consistent with the code-level count, and free of inflation.
Q: What ROADMAP=0 is not?
A: Not 'everything automated'; every item attached to its correct artifact class.
Q: Is a runtime bridge a real measurement?
A: The bridge routes to a real tool; the tool measures, the engine fabricates nothing.
Q: Who executes external action recipes?
A: The owner or authorized ops; the engine writes instructions, never claims 'done'.
Q: Does the engine change Cloudflare settings?
A: No; it gives a step-by-step recipe.
Q: Does the engine upload to GoDaddy?
A: No; it provides upload instructions and the verification flow.
Q: Is the SecurityHeaders grade guaranteed?
A: No; readiness is produced, the grade is given live by the tool.
Q: Is the SSL Labs grade guaranteed?
A: No; it depends on server config and is measured live.
Q: Is the PageSpeed score guaranteed?
A: No; it depends on lab/field conditions.
Q: Does the engine produce CWV field data?
A: No; it comes from CrUX/PageSpeed.
Q: Any AI citation guarantee?
A: None; readability readiness instead.
Q: What is llms.txt for?
A: Access/summary directives for AI crawlers; supports identity clarity.
Q: What if JSON-LD is wrong?
A: Rich-result eligibility can break; hence type-page fit is audited.
Q: When is Build mode needed?
A: When new surfaces/pages are needed while preserving existing value.
METHOD How these answers were written
Every answer passed three filters. The source filter: the sentence an answer rests on must exist in the guide, the executive brief or the technical note — an unsourced answer cannot enter this page. The number filter: every figure in the text is a verbatim repeat of the published number contract; inventing numbers is banned. The claim filter: any draft containing a guarantee, a 'pass', a superlative or a competitor comparison was cut.
Some answers may therefore feel 'over-careful'. That is deliberate: an FAQ is a product's most-quoted surface, and a single loose sentence here returns tomorrow in a meeting as 'but your own site said…'. The caution is not this page's trait; it is the product's.
MISREADINGS Common misreadings
The fourteen mistakes below are the most frequent and costly in the field; each comes with its correct approach.
Mistake: Selling the catalog count as 'checks'
Correct approach: 2,033 is a reference map. Correct: 319 working checks; the map is explained separately.
Mistake: Promising a live A+
Correct approach: The tool grades live. Correct: produce readiness, verify independently post-deploy.
Mistake: Treating file production as done
Correct approach: Cache and server layers intervene. Correct: the Deploy-Verify pass is mandatory.
Mistake: 'Solving' CSP with inline onload
Correct approach: Strict CSP breaks the page. Correct: defer external scripts; avoid inline tricks.
Mistake: Creating a double CSP
Correct approach: Server+file policies intersect and narrow. Correct: detect the existing policy; keep one source.
Mistake: Stamping Product/Event schema everywhere
Correct approach: Wrong types break rich results. Correct: conditional rule — schema only when content exists.
Mistake: Leaving empty alt on non-decorative images
Correct approach: Information loss and accessibility debt. Correct: meaningful alt; empty only when decorative by intent.
Mistake: Letting robots contradict the sitemap
Correct approach: Blocked URLs remain in the sitemap. Correct: generate both from one source in sync.
Mistake: Mistaking static review for a pentest
Correct approach: Scope and law differ. Correct: written SAST↔DAST split; active tests with authorization.
Mistake: Reporting lab scores as field CWV
Correct approach: They are different truths. Correct: lab readiness and field data in separate columns.
Mistake: Counting DNS work as done
Correct approach: Records don't change until the recipe is applied. Correct: external action + verification step.
Mistake: Auto-PASSing manual items
Correct approach: The honesty layer is breached. Correct: flag, justify, route to a reviewer.
Mistake: Forgetting preview caches
Correct approach: Stale cards circulate for days. Correct: debugger refresh is part of the procedure.
Mistake: Quoting numbers without provenance
Correct approach: Every number gets challenged. Correct: the number ledger + registry row evidence.
BOARD QUESTIONS Board questions
Management decision questions: claim-safe answers to six critical questions.
The ten most frequent board questions, answered in claim-safe language
Q: What does this investment gain us?
A: It turns an unmeasured cost item (the web) into a measurable asset: scores, changed files, verification evidence. Decisions rest on tables, not feelings.
Q: Is our risk decreasing?
A: The static security review surfaces silent risks (secret leaks, exposed files, risky patterns); header recipes prepare to narrow the browser-side attack surface. The proof of reduction is before/after plus independent verification.
Q: Why not just buy a pentest?
A: You can — this product does not replace one and never claims to. Static review is continuous low-cost hygiene; a pentest is authorized periodic deep testing. They complement each other.
Q: Will we rise on Google?
A: No ranking promise is given. What is given is crawlability, consistency and readability readiness. Your content investment lands on solid technical ground.
Q: Will AI recommend us?
A: It cannot be guaranteed; no honest vendor can. What is done is building the signals that let AI systems read you correctly.
Q: Who is responsible if the site breaks?
A: Every change ships with a rollback manifest; one-step reversal exists. Publishing is always a human decision — the responsibility chain is clear.
Q: Does it conflict with our agency?
A: No; it complements as the evidence layer. The agency's delivery goes through Review and work is accepted with evidence — the relationship sheds ambiguity.
Q: Ongoing cost or one-off?
A: Governance is cyclical: Review→SafeFix→Verify→Monitor. Scope components (size, languages, modes, monitoring cadence) set the rhythm; figures sit outside this document.
Q: How is it different from competitors?
A: Number discipline: it never sells 2,033 as 'checks', counts 319 from code, and never translates ROADMAP=0 as 'everything automated'. The honest boundary is a feature for enterprise buyers.
Q: What do we see in the first 90 days?
A: The baseline report, the first SafeFix package, a live verification pass and the first Monitor comparison: four concrete evidence files.
HOW WERE THE CRITICAL 20 CHOSEN?
The twenty questions above are no marketing selection: they are lifted verbatim from the guide's own critical-questions section. The criterion was single — if an executive or engineer asks this at first contact and the answer stalls, trust is dented. All twenty reappear below inside their categories with longer counterparts; when the short answer is not enough, descend to the long one.

23 categories · 89 questions
With JavaScript off the search is inactive; every question stays reachable below.
General
This section gathers the 5 questions under general — for example: What is WebTrustEngine, Is it a scanning tool, Who is it for. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What is WebTrustEngine?
An evidence-first web governance engine.
Is it a scanning tool?
No; a Review→SafeFix→Deploy-Verify→Monitor loop.
Who is it for?
Executives, CMOs, CTOs, agencies and corporate web teams.
What is the output?
Score + changed files + rollback + recipes + a verification plan.
Input types?
ZIP, a local folder, or an authorized live URL.
R50 Numbers
This section gathers the 5 questions under r50 numbers — for example: Is it 2,033 automated checks, How many working checks, What does 1,258 integrated mean. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Is it 2,033 automated checks?
No; that is a reference catalog. Working checks are 319.
How many working checks?
319 (80+239).
What does 1,258 integrated mean?
Catalog-row coverage; not the working-check count.
Are the numbers consistent?
Counted from code: 80 checks / 26 fixers.
Why two levels?
Reference catalog ≠ working checks; separated for honesty.
The 2,033 Catalog
This section gathers the 4 questions under the 2,033 catalog — for example: What is the catalog, How many roadmap items, Distribution. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What is the catalog?
A map of the web-quality universe.
How many roadmap items?
0 — nothing left open.
Distribution?
INTEGRATED 1,258 · RUNTIME 197 · EXTERNAL 308 · CONDITIONAL 214 · MANUAL 55 · N/A 1.
Is every item bound?
Yes; implemented/runtime/external/conditional/manual/N-A.
319 Working Checks
This section gathers the 3 questions under 319 working checks — for example: Core vs granular, What does it detect, Does it produce fixes. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Core vs granular?
80 core + 239 granular = 319.
What does it detect?
Static meta/SEO/a11y/schema/security/performance signals.
Does it produce fixes?
26 SafeFix generators make reversible fixes.
SafeFix
This section gathers the 4 questions under safefix — for example: Is it risky, Is the site rebuilt, Is there rollback. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Is it risky?
No; low-risk and reversible.
Is the site rebuilt?
No; the existing structure is preserved.
Is there rollback?
Yes; a manifest plus a backup directory.
What does it fix?
Meta/canonical/OG/JSON-LD/sitemap/robots/headers/static assets.
Review
This section gathers the 3 questions under review — for example: Do files change, What does it give, Can it use a live URL. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Do files change?
No.
What does it give?
A risk map plus a decision baseline.
Can it use a live URL?
Yes, with authorization.
Build
This section gathers the 2 questions under build — for example: Does it set up a site, Based on what. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Does it set up a site?
It produces static surfaces; publishing is a separate decision.
Based on what?
Component/sector/language/schema/SEO/AEO.
Monitor / Deploy-Verify
This section gathers the 3 questions under monitor / deploy-verify — for example: What does it do, Is it a SOC, Why does it matter. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What does it do?
Compares against the baseline and reports the difference.
Is it a SOC?
No; a periodic evidence loop.
Why does it matter?
File production ≠ live effect.
Security
This section gathers the 3 questions under security — for example: What does SAST cover, Does it produce headers, OWASP. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What does SAST cover?
Secrets/exposure/client risk/server-side SAST/malware/weak crypto.
Does it produce headers?
A CSP/HSTS recipe plus security headers.
OWASP?
It provides related classification.
Pentest Boundary
This section gathers the 3 questions under pentest boundary — for example: Is it a pentest, Active testing, Why separate. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Is it a pentest?
No.
Active testing?
Only with authorization and a scope document.
Why separate?
A discipline of credibility.
SEO
This section gathers the 3 questions under seo — for example: SEO guarantee, What does it check, Broken links. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
SEO guarantee?
No; technical readiness.
What does it check?
Title/meta/canonical/hreflang/robots/sitemap/headings.
Broken links?
Full crawl at runtime; verified with Search Console.
AI/GEO/AEO
This section gathers the 3 questions under ai/geo/aeo — for example: AI citation guarantee, llms.txt, Entity clarity. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
AI citation guarantee?
No.
llms.txt?
It evaluates and suggests.
Entity clarity?
Identity/service-clarity readiness.
Structured Data
This section gathers the 3 questions under structured data — for example: Which types, Wrong-schema risk, Validation. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Which types?
Organization/WebSite/Service/FAQPage/BreadcrumbList and more.
Wrong-schema risk?
Rich results can break; conditional rules apply.
Validation?
The Rich Results Test.
Accessibility
This section gathers the 3 questions under accessibility — for example: Full-compliance guarantee, What is automated, What is manual. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Full-compliance guarantee?
No.
What is automated?
Alt/label/heading/landmark/language/table.
What is manual?
Contrast/focus/order/media description.
Performance
This section gathers the 3 questions under performance — for example: Does it measure CWV, What is static, CDN settings. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Does it measure CWV?
It does not produce field data; PageSpeed/CrUX verify.
What is static?
Compression/cache/minify/lazy readiness.
CDN settings?
It does not do them; it gives a recipe.
Privacy / Cookie
This section gathers the 2 questions under privacy / cookie — for example: Legal guarantee, What does it check. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Legal guarantee?
No; KVKK/GDPR require counsel.
What does it check?
Tracker visibility + cookie flags + policy link.
Hosting / DNS / Cloudflare
This section gathers the 3 questions under hosting / dns / cloudflare — for example: Does it fix DNS, Is Cloudflare required, HSTS preload. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Does it fix DNS?
No; it gives an external recipe.
Is Cloudflare required?
Not required, but a high-leverage suggestion.
HSTS preload?
Offered as a recipe.
External Action
This section gathers the 3 questions under external action — for example: What does it mean, Example, Does the engine apply it. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What does it mean?
Instructions for steps the engine cannot perform in files.
Example?
DNSSEC/SPF/DKIM/DMARC/CDN/SSL/security.txt.
Does the engine apply it?
No; the owner applies it.
Runtime Bridge
This section gathers the 3 questions under runtime bridge — for example: What is it for, Example, Fabricated measurement. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What is it for?
Checks that cannot be measured statically.
Example?
PageSpeed/SSL Labs/SecurityHeaders/contrast.
Fabricated measurement?
None; it routes to a real tool.
Manual Verification
This section gathers the 3 questions under manual verification — for example: Why does it exist, Which items, Are they excluded. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
Why does it exist?
An honesty layer; not everything is automated.
Which items?
A11y/legal/brand/content accuracy.
Are they excluded?
No; routed to a reviewer.
Delivery Files
This section gathers the 2 questions under delivery files — for example: What is delivered, Format. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What is delivered?
Engine + fixed site + rollback + score + recipes + report.
Format?
ZIP + MD/DOCX/PDF + CSV.
Boundaries
This section gathers the 3 questions under boundaries — for example: What does it not guarantee, Production PASS, Price. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
What does it not guarantee?
Ranking/traffic/AI citation/CWV/a live A+.
Production PASS?
No; evidence and readiness.
Price?
Not in the public document.
Application and Verification Depth
This section gathers the 20 questions under application and verification depth — for example: How is rollback tested, Why is a double CSP risky, The most frequent hreflang error. Answers align one-to-one with the guide and passed three filters: no unsourced sentence, no number outside the contract, no hint of a guarantee. If something stays open when you finish the section, the relevant deep-dive page and the Evidence Hub document are one click away.
How is rollback tested?
Copy one file back from the backup dir and open the site; a five-minute drill insures the real moment of need.
Why is a double CSP risky?
Server + file policies intersect and permissions narrow; pages break unexpectedly. The single-source rule exists for this.
The most frequent hreflang error?
One-way mapping: TR points to EN but EN never answers back. The reciprocity audit catches it at file level.
What is the llms.txt format?
Plain text at the root; identity, permission and summary directives. The engine proposes a sample file.
How long do social preview caches last?
It varies by platform; that is why debugger refresh is a mandatory step of the procedure.
What is IndexNow?
A protocol instantly notifying search engines of URL changes; offered as an external recipe.
What does security.txt do?
Defines a contact channel for security researchers; published under /.well-known/.
CrUX vs Lighthouse?
CrUX is real-user (field) data, Lighthouse is controlled-test (lab) data; reported in separate columns.
How is Monitor cadence chosen?
By your rate of change: frequently-publishing sites go monthly, stable corporate sites quarterly.
An example of a conditional rule?
Product schema is valid only on real product pages; FAQ schema is suggested only where a Q-A block exists.
A NOT-APPLICABLE example?
A server-side session item on a static site — marked not applicable by context.
How is the evidence package archived?
ZIP + checksums together in a version-named folder; the archive location is set on day one.
How do I verify checksums myself?
Unzip and run the standard verification command over the checksum file; all lines must return OK.
How should I prepare the ZIP?
From the root, with all assets; excluding node_modules/.git/backups. Details in Technical Trust Note §13.
How is authorization given for a live URL?
An ownership statement plus written permission suffices; access is read-only.
The collaboration model with an agency?
The agency produces, the engine evidences: delivery passes Review, acceptance is documented.
Does the process change for a multi-site portfolio?
The same frame applies per domain; the portfolio comparison table drives prioritisation.
Can the report language be chosen?
TR and EN outputs are supported; corporate packages ship both.
What happens to my input data?
Processed solely for evaluation; secret findings reported masked; retention/disposal per the scope agreement.
The most critical prep before the first run?
The full ZIP + the priority sentence + a named decision owner — with all three, work starts the same day.
STILL UNANSWERED?
If your question is not here
Eighty-nine questions cover a wide surface without exhausting it. If yours is missing, two routes: a technical detail most likely lives in the matching section of the technical trust note in the Evidence Hub; a scope or process matter follows the matching lane on the contact page. Replies use this site's language: sourced, bounded, guarantee-free. When a new frequently-asked question crystallises, the page is updated under release discipline and the change in question count is announced openly; silent growth is against the rules of this ledger.