How to Check If a Website Is Trustworthy (2026 Guide)

You land on a website. Maybe you're thinking about buying something. Maybe a client sent you a link. Maybe you want to check your own site before customers do the same thing.

How do you tell if a website is trustworthy?

There are 10 concrete signals you can check in a few minutes. None of them require technical skills. All of them are publicly visible. And if a website fails on several of these, that tells you something about how seriously the owner takes their business.

1. HTTPS and a valid SSL certificate

Look at the address bar in your browser. Do you see a padlock icon? Does the URL start with https://?

If the answer is no, the connection between your browser and that website is not encrypted. Any data you type into a form, including passwords and payment details, can be intercepted. Browsers now show a "Not Secure" warning for sites without HTTPS, and for good reason.

A valid SSL certificate is the bare minimum for any website in 2026. Free certificates from Let's Encrypt have been available for years. There is no excuse for running without one.

What to look for: Click the padlock to see certificate details. Check that the certificate is issued to the correct domain and hasn't expired. Some phishing sites use HTTPS too, so a padlock alone doesn't mean the site is safe. But the absence of one is a clear red flag.

If your own site shows the "Not Secure" warning, read our guide on how to fix it.

2. A real privacy policy

Every website that collects any personal data needs a privacy policy. That includes sites with contact forms, analytics, newsletter signups or cookies. In practice, that means almost every website.

A privacy policy is not just a legal checkbox. It tells you who runs the site, what data they collect, what they do with it and who they share it with. A missing privacy policy is one of the clearest signs that a website owner hasn't thought about compliance at all.

What to look for: Check the footer for a link to the privacy policy. Open it and read the first few paragraphs. Does it name the company or person behind the site? Does it list the types of data collected? Does it mention the legal basis for processing? Does it explain your rights as a visitor?

A privacy policy that's clearly a generic template with "[Company Name]" placeholders is almost as bad as having none. It shows the owner copied something without reading it.

Our guide on privacy policy requirements covers every element a proper policy needs under GDPR.

3. Business registration details

In most European countries, businesses are legally required to display their registration details on their website. In the Netherlands, that means the KVK number. In the UK, the Companies House registration number. In Germany, a full Impressum with company name, address, managing director and registration court.

What to look for: Scroll to the footer or look for an "About" or "Imprint" page. You should find a registered business name, a physical address, and a registration number. For Dutch businesses, you can verify the KVK number at kvk.nl. For UK companies, check Companies House.

If a website selling products or services has no visible business registration, that's a significant red flag. It might be a legitimate business that's sloppy about compliance. Or it might be something else entirely.

Read more about when a KVK number is required on your website.

4. Cookie consent done properly

Nearly every website sets cookies. The GDPR and ePrivacy Directive require websites to get consent before setting non-essential cookies like analytics and marketing trackers.

What to look for: When you first visit the site, does a cookie banner appear? Does it have a clear Reject button that's as easy to find as the Accept button? Or does it only offer "Accept" and "Manage preferences" where rejecting requires three more clicks?

A site that loads Google Analytics, Facebook Pixel and advertising cookies before you've clicked anything on the banner is violating the rules. You can check this by opening your browser's developer tools (F12) and looking at the cookies tab before interacting with the banner.

A cookie banner with no reject option, or one that uses dark patterns to push you toward accepting, tells you the site owner doesn't respect your choices. Our guide on cookie banner requirements explains what regulators actually expect.

5. Contact information you can verify

A trustworthy website makes it easy to get in touch. Look for a phone number, email address or physical address. Bonus points if the contact page lists an actual person's name or department rather than just a generic form.

What to look for: Is there a dedicated contact page? Does it list a real email address (not just a form with no alternative)? Is there a physical address? For e-commerce sites, EU consumer protection rules require a phone number or equivalent real-time communication channel.

If the only way to contact a business is through a web form with no confirmation that your message was received, be cautious. Legitimate businesses want to hear from their customers and make it straightforward.

6. Terms and conditions

Any website that sells products or services should have terms and conditions. For online shops in the EU, this isn't optional. Consumer protection directives require clear information about delivery, returns, payment methods and the right of withdrawal.

What to look for: Check the footer for a link to terms and conditions or general terms of sale. For an online shop, the terms should cover: delivery times and costs, payment methods accepted, the 14-day right of withdrawal, the complaint procedure, and any warranties.

Vague terms, or terms clearly written for a different type of business, suggest the owner hasn't invested in getting things right. Missing terms on an e-commerce site is a legal violation in most EU countries.

7. Up-to-date CMS and no visible vulnerabilities

You can't always tell from the outside whether a website's software is up to date. But there are clues.

What to look for: Check the page source (right-click, View Source). Many WordPress sites reveal their version in a meta tag like <meta name="generator" content="WordPress 6.x" />. If that version is more than a year old, the site is likely running outdated software with known security holes.

Other red flags: login pages accessible at default URLs (like /wp-admin), visible error messages that expose server details, and pages that load mixed HTTP and HTTPS content.

Our security checklist for small businesses walks through 10 things you can check and fix today.

8. Proper image licensing

This one is less obvious but increasingly relevant. Websites that use images with visible watermarks, or that load images directly from stock photo CDNs without a license, are either careless or cutting corners. Copyright holders and their enforcement agencies actively scan the web for unlicensed images and send claims that can cost thousands of euros.

What to look for: Are there images with faint watermark text across them? Do image URLs contain domains like shutterstock.com, gettyimages.com or istockphoto.com? These are signs the images were taken from stock libraries without paying for a license.

A website using stolen images is unlikely to be careful about other things either. If you're checking your own site, read our guide on how to scan your website for copyrighted images.

9. Accessibility basics

Website accessibility is not just about being inclusive. In the EU, the European Accessibility Act (EAA) is expanding requirements to cover many private sector websites from June 2025 onward. A site that ignores accessibility entirely is behind on compliance.

What to look for: Try navigating the site using only your keyboard (Tab to move between elements, Enter to click). Can you reach all the main navigation links? Can you use forms? Is there visible focus indication showing which element is currently selected?

Check if images have alt text by right-clicking an image and selecting "Inspect." The <img> tag should have an alt attribute with a meaningful description, not just alt="" or nothing at all.

Also look at color contrast. If you struggle to read text because it's light grey on a white background, visitors with low vision will have a much harder time.

10. Security headers

This is the most technical check on the list, but it takes 10 seconds. Go to securityheaders.com and type in the website URL.

What to look for: A grade of A or B means the site has proper security headers configured. These headers tell browsers how to handle the site's content and protect against common attacks like clickjacking and cross-site scripting.

A grade of D or F means basic protections are missing. The site might still work fine, but it's more vulnerable to certain types of attacks. For a site that handles payments or personal data, that's concerning.

Checking your own website

If you run a website, go through all 10 points above with your own site. Be honest about what you find. Most small business websites fail on at least 3 or 4 of these checks, usually because the web designer set things up and nobody checked the compliance details.

Here's the priority order for fixing things:

1. HTTPS. If you don't have it, everything else is secondary. Fix this first.
2. Privacy policy. If you collect any data at all, you need one. It's also the most common thing regulators check.
3. Cookie consent. If your banner doesn't have a proper reject option, or if scripts fire before consent, fix it. The Dutch AP and other regulators are actively enforcing this.
4. Business details. Add your KVK number, company name and address to the footer. Takes five minutes.
5. Everything else. Work through the remaining items. Most of them are one-time fixes.

Our GDPR compliance checklist covers the full set of requirements in detail.

Checking a website before buying from it

If you're about to enter payment details on a website you haven't used before, spend two minutes on these checks:

Look at the basics. Does it have HTTPS? Is there a company name and address in the footer? Can you find a real phone number or email? If any of these are missing, don't enter your payment details.

Check the business registration. For Dutch sites, look for a KVK number and verify it at kvk.nl. For UK sites, search Companies House. A registered business has accountability. An anonymous website does not.

Read the terms. Specifically, look for the return policy and delivery information. EU law gives you a 14-day withdrawal right for most online purchases. If the site doesn't mention this, the owner either doesn't know the law or is hoping you won't exercise your rights.

Look for the cookie banner. This might seem unrelated to shopping safety, but a site that can't get cookie consent right probably isn't careful about handling your payment data either. It's a proxy for overall professionalism.

Search for reviews outside the site. Don't trust reviews displayed on the website itself. Search for the business name plus "review" or "complaint" on Google. Check Trustpilot, Google Reviews or local review platforms.

Automated checking with our scanner

Going through all 10 checks manually takes time, especially if you want to be thorough. That's what our scanner is built for.

Enter any website URL and the scanner checks HTTPS, privacy policy, business details, cookie consent, security headers, accessibility basics and more. It runs over 35 individual checks across security, privacy and compliance categories.

You get a trust score out of 100 and a breakdown of exactly what passed and what needs attention. For your own website, it's a fast way to find the gaps before your customers or a regulator does.

Run a free scan on any website