← Back to HeyNews

Owner tools

For the owner of HeyNews (Visit site).

Ownership

This launch is unclaimed.

Claim this launch to get an owner link, re-scan after fixes, track your score improvements, or remove your site from StackScope entirely.

Claim this launch

Fixes that improve your score

Security

  • HIGHAdd the missing security response headers
    Missing: Referrer-Policy, X-Frame-Options, Permissions-Policy, Content-Security-Policy
    WhyEach header limits a class of browser-side attack: clickjacking, XSS, MIME sniffing, plaintext fallback. Missing headers leave default-permissive behaviour in place.
    WhereMost are one line each in your server config, reverse proxy, CDN, or framework headers.

Starter Content-Security-Policy

We didn't see a Content-Security-Policy header on your site. Here's a starter policy built from the 7 third-party vendors we detected (cookieyes, google-analytics, google-consent-mode, google-fonts, google-tag-manager, mixpanel, segment).

Content-Security-Policy-Report-Only:
default-src 'self';
script-src 'self' 'unsafe-inline' https://cdn-cookieyes.com https://cdn.mxpnl.com https://cdn.segment.com https://log.cookieyes.com https://www.google-analytics.com https://www.googletagmanager.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https://www.google-analytics.com https://www.googletagmanager.com;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://analytics.google.com https://api.mixpanel.com https://api.segment.io https://stats.g.doubleclick.net https://www.google-analytics.com;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
Test before enforcing. This is a starting point based on what we could detect from a public crawl, not a finished policy. Deploy as Content-Security-Policy-Report-Only first (as shown above), walk through your site with DevTools Console open, and relax the policy until no CSP violations fire. Only then rename the header to Content-Security-Policy to enforce.

We probably don't cover everything. Vendors that only load behind auth, self-hosted scripts, custom analytics, and anything we haven't fingerprinted yet won't appear here. Inline scripts work because we've included 'unsafe-inline'; you can tighten that later with nonces once the basic policy is stable. The Report-Only walkthrough will flag anything we missed. That's the whole point of starting there.

Optional improvements

These don't change your StackScope score but cover SEO, agent-readiness, security-researcher discoverability, and compliance items worth addressing.

Security

  • LOWAdd /.well-known/security.txt
    WhyLets security researchers report vulnerabilities responsibly through a published contact channel.
    WhereCreate /.well-known/security.txt with a Contact: email and Expires: date.

Email security

  • MEDIUMMove DMARC from p=none to quarantine or reject
    DMARC policy is p=none (monitoring only).
    Whyp=none lets receivers log failures but still deliver spoofed mail. Real protection only kicks in at quarantine or reject.
    WhereAfter reviewing a few weeks of rua= reports and confirming your real senders pass, change to p=quarantine (sends spoofs to spam) and then p=reject (blocks them outright).
  • MEDIUMFix or remove the broken MTA-STS deployment
    DNS record is published but the policy file couldn't be fetched.
    WhyReceivers expect a policy whenever the DNS record exists. If they can't fetch it, they ignore MTA-STS entirely, so your deployment effort is wasted.
    WhereEither fix the policy host (DNS, HTTPS cert, file path) or remove the _mta-sts TXT record so receivers stop checking.

Page basics & SEO

  • LOWTrim your <title> tag to under 60 characters
    Currently 61 characters: "Your Newsletter, Your Voice. Published in 5 Minutes | HeyNews"
    WhyGoogle truncates titles around 60 characters in search results, so anything past that gets cut off mid-sentence and costs click-through rate.
    WhereAim for 50-60 characters that include your main keyword and brand.
  • LOWTrim your meta description to under 160 characters
    Currently 230 characters: "HeyNews learns your writing style from past newsletters, curates stories from RSS, Reddit, social media, and blogs, then generates publish-ready issues in minutes. 14-day free trial. Free Growth Audit ($99 value) when you sign up."
    WhyGoogle truncates around 155-160 characters on desktop SERPs (less on mobile), so anything past that won't appear in the snippet.
    WhereEdit your <meta name="description"> tag. Put the most click-worthy phrase first.

Agent / AI

  • LOWAdd an llms.txt file
    WhyHelps AI models understand your site's content and how to use it. Not yet a standard but gaining adoption.
    WhereCreate /llms.txt at the site root with a brief overview and key URLs.

If a tip looks wrong (for example it says "add a consent banner" and you already have one) the detection's the bug, not you. StackScope sees what's public from the outside: HTTP response, rendered HTML, cookies, and DNS. We can miss vendors that load behind consent, are self-hosted, or use an install shape we haven't fingerprinted yet. Email [email protected] and we'll look into it.

Copy into Cursor, Claude, or ChatGPT

This prompt includes the detected stack and only the fixes StackScope found. It asks the AI to make concrete file-level changes, not a vague website review.

Score-affecting basics only. Ask your AI to handle these first; come back for the optional hardening once they're done.

Everything: score-affecting fixes plus optional email security, agent metadata, and best-practice items. Longer prompt, more for an "all in one" agent run.

Using an autonomous agent?

Point the agent at this SKILL.md URL and ask it to follow the skill. The framing stops agents defaulting to an open-ended page review.

https://stackscope.dev/launch/i5lfc1f3/skill.md

Share your score

Your score card renders automatically when you share the link.

Or embed a badge

Two badge options. Pick whichever fits your story.

Current score

Shows the latest score and updates within a few minutes of any recrawl. Best for ongoing display: if you fix something and recrawl, the badge reflects the new score automatically.

StackScope score

<a href="https://stackscope.dev/launch/i5lfc1f3/heynews"><img src="https://stackscope.dev/badge/i5lfc1f3/current.svg" alt="StackScope score for HeyNews" height="24" /></a>

Launch score

Pinned to your launch-day snapshot and never changes. Marked with a small gold corner ribbon. Best for press kits, launch retrospectives, or anywhere you want a permanent record of how you shipped.

StackScope launch score

<a href="https://stackscope.dev/launch/i5lfc1f3/heynews"><img src="https://stackscope.dev/badge/i5lfc1f3.svg" alt="StackScope launch score for HeyNews" height="24" /></a>

Using a Content-Security-Policy? Both badges are <img> tags from our domain, so your CSP needs to allow them. Add stackscope.dev to your img-src directive (example: img-src 'self' stackscope.dev;). Without it, browsers silently block the badge and visitors see a broken image.