The 90-Second Website Audit: What You Can Actually Measure Fast
Most 'quick audit' advice is a full audit in denial. Here's what genuinely fits in 90 seconds, the exact sequence, and the honest list of what fast checks can never tell you.
Most "quick website audit" advice is a full audit in denial — twenty checks that each take two minutes, sold as a glance. Here's the honest version: what you can genuinely measure in 90 seconds, in the sequence that catches the most trouble fastest, followed by the equally honest list of what no fast check can tell you. The fast pass isn't a substitute for real diligence; it's the filter that tells you whether real diligence is warranted.
Set a timer. Here's the split.
Seconds 0–15: the objective layer
Load the site — ideally on your phone, on cellular, since that's the median real-world visit. Two checks happen almost passively:
- Security state. HTTPS with no warnings. A "Not Secure" label or certificate error is disqualifying on its own — the browser, a referee with no stake in the outcome, just ruled.
- Load behavior. Did a usable page paint within a few seconds, or are you watching spinners and layout shifts? Slowness isn't just friction; on an unfamiliar site it reads as neglect, and neglect correlates with everything else you're about to check.
These fifteen seconds are the most information-dense of the audit because they're fully objective. Everything after involves judgment; this is just true or false.
Seconds 15–45: the identity layer
Scroll straight to the footer — the densest thirty square centimeters of trust signal on any site — then glance at the About link if one exists. You're pattern-matching four things:
- A legal business name and location, not just a brand and a contact form.
- Policy links that exist — privacy, terms, refunds — and aren't visibly dead.
- A copyright year within the last year or two. Stale years are small but remarkably predictive of general neglect.
- Any named human anywhere. Anonymity is the single strongest pattern shared by disposable operations, as we cover in anatomy of a scam website.
You're not verifying any of this yet — verification is what the deep audit does. You're checking whether the site even claims an identity. Sites that don't claim one have answered your question early.
Seconds 45–75: one deep click
Pick one page a casual visitor never reads — the refund policy is the best single choice on a commercial site — and skim it for thirty seconds. This is a core-sample of the whole operation:
- A specific, committed policy ("30 days, full refund, we pay return shipping on defects") signals a business planning to be around for the consequences.
- Boilerplate that commits to nothing ("refunds at our sole discretion") is an answer too, just a worse one.
- A 404, a placeholder, or another store's name still in the template ends the audit with a verdict.
The reason one deep click works: facades are painted where visitors look. Polish on the homepage is universal; polish on page nineteen is evidence of an operation with actual floors, a pattern we unpack in red flags customers notice in 5 seconds.
Seconds 75–90: the outside glance
Leave the site. In a private window, search the business name plus "reviews" or "scam" and read only the first screen of results — titles and snippets, no clicks. You're checking for exactly two things: does an independent footprint exist at all, and is anything on fire (complaint threads, warning posts, "is X legit" questions with ugly answers). Fifteen seconds of the outside view routinely reverses ninety seconds of the inside one, which is why it's the mandatory closer.
What 90 seconds cannot tell you
Here's the honest ledger. The fast pass catches disqualifiers; it cannot measure:
- Reputation depth. Whether those reviews are organic or manufactured, how complaints were handled, what forums actually say — that's reading, not glancing.
- History. Domain age versus the story the site tells, archive snapshots, whether "since 2011" survives contact with the record.
- Consistency across sources. The address on the site versus the registry versus the Google profile — mismatches are among the most damning findings, and they live across a dozen tabs.
- Content quality. Expert-versus-filler judgments take actual reading time.
- Financial and structural signals. Funding, hiring, distress — invisible from the storefront.
That deeper layer is measurable — it's just not fast by hand. It's a couple of hours with the ten-point framework, or minutes with automation: a WebsiteCreditScore scan sends an AI research agent through the site and 12+ public sources — the exhaustive reading described in how AI agents evaluate your website — and returns ten graded dimensions with a citation behind every claim. Your first scan is free.
The two-tier habit
The operating system that falls out of all this is simple:
1. Every unfamiliar site gets the 90 seconds. Security, footer, one deep click, outside glance. Zero cost, catches most disqualifiers.
2. Anything that passes and matters gets the deep tier. Money, data, partnership, or your own reputation on the line — run the full record, manually or by scan.
The 90-second audit's real product isn't a verdict. It's a routing decision — walk away, proceed for small stakes, or investigate properly. Fast checks that know their limits are worth more than thorough-sounding ones that don't.
Frequently asked questions
Can you really audit a website in 90 seconds?
You can triage one — which is different and still valuable. Ninety seconds is enough to check security state, load behavior, identity signals, one policy page, and a quick external search. That catches most disqualifying problems. What it can't do is measure reputation depth, history, or content quality, which is why the fast pass should decide whether a deeper look is needed, not replace it.
What should I check first in a quick website audit?
Security and load: does the page come up fast, over HTTPS, with no browser warnings? Those two checks take ten seconds, they're objective, and a failure on either is disqualifying on its own. Everything else — identity, policies, reputation — only matters on a site that passes the first ten seconds.
What can't a quick audit tell you about a website?
The deep record: whether reviews are organic or manufactured, whether the domain's history matches its story, whether contact details are consistent across platforms, whether content is expert or filler, and whether financial signals check out. Those require reading many sources and cross-referencing them — minutes to hours by hand, which is exactly the layer an automated scan covers.
Is a 90-second audit enough before buying from a website?
For small card purchases, usually — your chargeback rights backstop the residual risk. For big-ticket purchases, recurring payments, sharing sensitive data, or business relationships, treat the 90-second pass as the filter that decides whether to run full diligence, not as the diligence itself.
Related reading
See how your website scores
Full audit — all 10 dimensions, cited sources, and a shareable report.
Start a scan →