Security

Code Protection

We implement multiple layers of protection to prevent source code exposure:

• Source File Protection: Direct access to Python source files (.py), configuration files, database files, and environment files is blocked
• Debug Mode Protection: Debug mode is automatically disabled in production environments to prevent code exposure in error pages
• Custom Error Handlers: Custom 404 and 500 error pages prevent stack traces and file paths from being exposed
• Security Headers: We implement Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security headers
• Source Map Protection: JavaScript and CSS source maps are blocked from direct access

Infrastructure Hardening

Our production infrastructure includes:

• Cloud Security: Hosted on SOC 2 Type II audited cloud providers with enterprise-grade security
• Firewall Protection: Network-level firewalls restrict access to production systems
• Intrusion Detection: Monitoring systems detect and alert on suspicious activity
• Access Controls: Role-based access control (RBAC) ensures only authorized personnel can access production systems
• Secure Cookies: All cookies are marked as Secure and HttpOnly in production
• CSRF Protection: Cross-Site Request Forgery protection is enabled for all state-changing operations
• Session Security: Secure session management with automatic expiration and inactivity timeout

General Rate Limits

We implement rate limits on sensitive endpoints: signup (5 attempts per IP per hour), password reset (3 per email and 10 per IP per hour), email verification (3 per hour), and email changes (3 per 30 days) to prevent abuse. Product-specific rate limits are described in the product sections below.

What We Scan

When you submit a URL for analysis, we access only publicly available content on that page—the same content any visitor would see. We do not access private areas, admin panels, or authenticated sections of your website. Our SSRF protection layer validates all URLs before scanning to ensure we only access publicly accessible resources.

Server-Side Request Forgery (SSRF) Protection

We implement comprehensive SSRF protection to prevent attacks through URL scanning:

• URL Scheme Validation: Only HTTP and HTTPS schemes are allowed
• Port Restrictions: Only standard ports (80 for HTTP, 443 for HTTPS) are permitted
• Private IP Blocking: All private IP ranges (RFC 1918, loopback, link-local, reserved) are blocked
• DNS Resolution: All hostnames are resolved and validated before connection
• Redirect Validation: Each redirect destination is re-validated to prevent SSRF through redirect chains (maximum 5 redirects allowed)
• HTTPS Downgrade Prevention: Redirects from HTTPS to HTTP are blocked
• Timeout Controls: Strict connection (10s), read (15s), and total (30s) timeouts prevent resource exhaustion

These protections ensure that our scanning service cannot be used to access internal network resources or perform unauthorized requests.

What We Store

We store the following information:

• Account Information: Name, email address, phone number, company name, job title, location, and profile pictures you upload
• Website URLs: The URLs you submit for analysis, including competitor URLs you add for comparison
• Monthly Report Configuration: Sitemap URLs, crawl settings, and configuration for monthly automated reports
• Report Data: Analysis results, scores, error reports, recommendations, and security analysis data (for Enterprise plans)
• Workspace Information: Organization details, team member relationships, workspace settings, and role assignments
• Payment Information: Processed securely through Stripe—we do not store full credit card numbers on our servers
• Subscription History: Subscription changes and behavior logs for abuse detection and support purposes

We do not store copies of your website content beyond what's needed for analysis. On-demand and single-URL reports are stored online for 90 days from the date of creation. Monthly automated reports (paid plans) are stored for a longer period or indefinitely while your subscription is active. You can download and save the PDF or CSV version of any report to keep a permanent copy.

Archived Data: When your plan's website limit decreases (for example, when downgrading to Free), you choose which websites to archive. On the Free plan, all websites are archived. Archived websites and their monthly report data remain viewable until you delete or restore them. We retain archived data in accordance with our retention practices; you may restore (unarchive) a website when you have an available slot (e.g. after resubscribing).

Report Privacy and Access Control

Reports can be set to either "Public" or "Private" by workspace administrators:

• Public Reports: Anyone with the report URL can access the report. URLs are unique and randomly generated but not password-protected.
• Private Reports: Only members of the workspace that created the report can access it. Private reports cannot be accessed by anonymous users or users outside the workspace, even with the URL.

Guest / not-signed-in reports: If someone runs a Website Health check without logging in, the product delivers a public link to view the report. The URL uses a long, random identifier so it is not practical to guess; we do not publish a directory of all guest report links. Access is still “anyone with the full URL” while the report is online—there is no separate password on that link by default. From a security standpoint, the URL functions like an unlisted sharing link: it should be treated as sensitive and shared only with trusted parties. Users who need private, workspace-controlled access should sign in and use Private reports. See our Privacy Policy (Guest Reports and Public Links) and Terms of Service (Section 16) for details.

Workspace administrators can toggle report privacy settings at any time. Reports created without an account are always set to "Public" until associated with a workspace. Workspace data is protected by role-based permissions: Super Admin, Admin, Editor, and Viewer roles control who can manage billing, settings, members, reports, and websites.

Security Monitoring & Abuse Prevention

We actively monitor for and prevent abuse:

• Subscription Abuse Detection: Automated systems detect suspicious subscription behavior patterns (rapid plan changes, gaming attempts)
• Workspace Abuse Prevention: Systems track and flag suspicious workspace creation patterns designed to circumvent subscription limits
• Rate Limiting: Daily report generation limits prevent system abuse (3 reports/day for free tier, 100/day for paid plans)
• Scan Concurrency Limits: We limit concurrent scanning and analysis workloads (including browser-based checks) to protect service availability and prevent resource exhaustion
• IP Tracking: Subscription changes and suspicious behavior are tracked by IP address for security analysis
• Manual Review Process: All flagged suspicious behavior undergoes manual review before any enforcement action
• Additional Rate Limits: Workspace invitations (20 per day) to prevent abuse

IP Blocking: We never automatically block private or shared IP addresses, as these could be legitimate corporate or shared networks. In cases of confirmed subscription or workspace abuse, we may block specific IP addresses after manual administrator review. Blocked users see a clear message and can contact support for assistance. See our Terms of Service for full details.

SSL/TLS Certificate Analysis

Our security suite performs comprehensive SSL/TLS analysis:

• Certificate Validity: Verifies certificate chain trust, expiration status, and days remaining
• Hostname Matching: Validates that certificate hostnames (CN/SAN) match the website domain
• Key Strength: Analyzes RSA key sizes (flags weak keys <2048 bits) and ECDSA curve types
• Protocol Support: Tests for TLS 1.3, 1.2, 1.1, and 1.0 support (flags insecure versions)
• Cipher Hygiene: Detects weak ciphers (RC4, 3DES, NULL, EXPORT) and verifies forward secrecy
• Trust Validation: Verifies certificate chain against system trust store

Security Headers Analysis

We analyze critical security headers that protect websites from common attacks:

• Strict-Transport-Security (HSTS): Ensures browsers only connect via HTTPS, preventing downgrade attacks
• Content-Security-Policy (CSP): Prevents XSS attacks by controlling resource loading (flags unsafe-inline, unsafe-eval)
• X-Content-Type-Options: Prevents MIME-sniffing attacks
• X-Frame-Options / frame-ancestors: Protects against clickjacking attacks
• Referrer-Policy: Controls referrer information leakage
• Permissions-Policy: Controls browser feature access (camera, geolocation, etc.)

Each header is evaluated for presence, correct configuration, and security best practices. Our reports provide specific recommendations for fixing any issues found.

Security Scoring

We provide a comprehensive security score (0-100%) based on weighted analysis of:

• Transport security (TLS/SSL) - 50% of score
• Security headers - 50% of score

The scoring system uses dynamic weight renormalization to ensure accurate scores even when certain checks cannot be performed. Sites without HTTPS automatically receive a score of 0%, as transport security is fundamental to web security.

Actionable Recommendations

For each security issue found, we provide:

• What: Clear description of the issue
• Why: Explanation of why it matters and the security risk
• How to Fix: Specific steps and examples for resolving the issue
• Severity: Classification as critical, high, medium, or low

This helps you prioritize security improvements and understand the impact of each issue.