Scanning Policy
Last updated: July 13, 2026
What is UNPWNED?
UNPWNED is a website security scanner that checks domains for publicly visible security vulnerabilities. Our scans only analyze information that is already accessible to anyone on the internet. We do not exploit vulnerabilities, extract private data, or modify anything on the target system.
How to Identify Our Scanner
Public, unverified scans identify with the User-Agent string below. Scans of a domain whose ownership has been verified with us (the owner consents to a scan of their own site) instead present a standard browser User-Agent, so a routine bot filter does not block the owner's own requested scan. A small number of read-only checks, most notably cloaking detection on deep scans, also use browser-like or crawler User-Agents (such as Googlebot) to test whether the site behaves differently for automated visitors. All such checks remain read-only and non-destructive.
If you see this User-Agent in your server logs, it means an UNPWNED user initiated a security scan on your domain. All scan requests originate from our cloud infrastructure (Vercel serverless functions) and not from the end user's device.
Allowlisting UNPWNED on Your Firewall
Many sites run behind WAFs (Cloudflare, Vercel Firewall, Netlify Edge, AWS WAF) that challenge or rate-limit unfamiliar scanners. When this happens, parts of an UNPWNED scan may be silently blocked, producing an incomplete report and a misleading score. If you own the target site and want repeatable, complete scans, allowlist us.
Our scanner identifies itself by both the User-Agent above and, when configured, a small published set of stable source IP addresses. We also use a polite request cadence on managed-host targets: we automatically detect Cloudflare, Vercel, and Netlify and reduce concurrency to avoid triggering bot protection.
Cloudflare
Use a Cloudflare IP Access Rule with action Allow for each published scanner IP. This is preferred over a User-Agent rule because a source IP cannot be spoofed.
Vercel Firewall
Project → Firewall → Custom rules → Allow when User Agent contains UNPWNED-Scanner.
Netlify Edge
Site settings → Edge functions / Edge Rules → allow requests where the User-Agent header matches UNPWNED-Scanner.
AWS WAF / Other
Add a string-match rule on the User-Agent header containing UNPWNED-Scanner and set it to allow before any rate-limit rules.
Our scanner IP addresses
Allowlisting by IP is the most reliable method, because a source IP cannot be spoofed the way a User-Agent string can. We scan from the following stable source IP addresses, which we own and publish. Add these to your firewall's allowlist:
3.224.164.255
3.219.38.3
For a step-by-step Cloudflare walkthrough, see our Cloudflare scanner guide. These IPs are also published in machine-readable form at /scanning-ips.json so you can automate your allowlist.
What Our Scans Do
A standard UNPWNED scan performs the following non-destructive checks against a domain:
- SSL/TLS certificate and cipher configuration analysis
- Security header inspection (CSP, HSTS, X-Frame-Options, etc.)
- DNS record analysis (SPF, DKIM, DMARC, DNSSEC)
- Checks for publicly exposed sensitive files (e.g. .env, .git/HEAD)
- API endpoint discovery and access control verification
- Cookie security analysis
- CORS policy testing
- JavaScript source analysis for exposed secrets or API keys
- Technology stack and framework detection
- Cloud storage bucket enumeration
- Rate limiting verification
- Privacy and compliance checks
Deep scans (available only for verified domain owners) additionally perform subdomain enumeration, HTTP method testing, cloaking detection, and other active techniques as described in our Terms of Service (Section 4).
A manually initiated Deep Scan may also perform limited SQL injection and reflected XSS detection against public HTTPS GET parameters. This requires a dedicated per-scan consent and a matching server-side policy version. These probes are excluded from public scans, partner scans, cached scans, and scheduled monitoring.
The first scan of a domain is available on the Free plan and shows the severity breakdown and all finding titles. Score and grade are shown only when scan coverage supports a reliable result. Re-scanning a domain that has already been scanned to confirm a fix, together with the before/after comparison between the earlier scan and the re-scan, is a Pro feature and is not available on the Free plan.
What Our Scans Do NOT Do
- We never exploit discovered vulnerabilities
- We never write, modify, or delete data on the target system
- We never attempt to log in or bypass authentication
- We never extract, download, or store private data from the target
- We never perform denial-of-service or stress testing
- We never introduce new vulnerabilities or backdoors
Potential Impact on Your Systems
While our scans are non-destructive, they may have the following effects on the target system:
- Entries in your web server access logs from our User-Agent
- Security alerts from your WAF, IDS, or honeypot systems
- A minor, temporary increase in network bandwidth usage
- Automated blocking by your security infrastructure (which may block our User-Agent or IP)
These effects are comparable to what any search engine crawler or automated security assessment tool would produce when accessing publicly available resources.
User Authorization
Every UNPWNED user is required to confirm, before each scan, that they own the target domain or have explicit written authorization from the domain owner to conduct a security scan. This applies to dashboard scans, verified-domain deep scans, public no-account scans, partner/API scans, and any other scan initiation path. This consent is recorded as a legally binding electronic signature or authorization declaration and retained for legal defense as described in our Terms and Privacy Policy.
UNPWNED reserves the right to request proof of authorization at any time and will suspend or terminate accounts that cannot provide satisfactory evidence.
For full legal details, see our Terms of Service (Section 3).
Opt-Out for Domain Owners
If you are the owner of a domain and want to exclude it from any future UNPWNED scanning, we offer a self-serve opt-out flow that takes about two minutes and verifies ownership via a DNS TXT record:
Self-serve opt-out
DNS-verified, instant, no email back-and-forth.
Prefer email? You can still write to [email protected] with the domain name(s) you want excluded and proof of ownership. We will add the domain to the exclusion list manually after review.
Once verified, every UNPWNED scan path (dashboard, public check, partner API, and recurring monitoring) will refuse to scan your domain or any of its subdomains. Any active monitoring configurations for the domain are deactivated when the opt-out is verified, and the scan worker re-checks the opt-out before executing any queued scan. The requesting user is told the domain owner has opted out.
Abuse reports. If you believe your domain was scanned without proper authorization, please contact us at [email protected]. We take unauthorized scanning seriously and will investigate all reports. Where appropriate, we will provide the relevant consent audit records to the domain owner and may terminate the offending user's account.
Blocking Our Scanner
You can block UNPWNED scans at any time using standard web server or firewall configuration:
# Block by User-Agent (nginx example)
if ($http_user_agent ~* "UNPWNED-Scanner") {
return 403;
}
# Block by User-Agent (Apache .htaccess)
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} UNPWNED-Scanner [NC]
RewriteRule .* - [F,L]
When our scanner receives a 403 response, the scan will note the blocked status and the user will be informed that the target domain is blocking security scans.
Contact
For questions about our scanning practices, opt-out requests, or abuse reports:
- Abuse / Opt-out: [email protected]
- General: [email protected]
- Security: [email protected]