About Our Scanning Methods

User-Agent: ShipCheck-Scanner/1.0 (+https://shipcheckhq.com/about-scanning; security@shipcheckhq.com)

All our scanning requests use this identifiable user-agent. If you see this in your logs, it means someone with domain verification scanned your site through ShipCheck.

What We Scan For

🔒 Security Issues

  • Exposed API keys in client-side code
  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • Insecure cookie configurations
  • Open redirect vulnerabilities
  • IDOR (Insecure Direct Object Reference) issues
  • Cross-site scripting (XSS) vulnerabilities via OWASP ZAP
  • SQL injection vulnerabilities via OWASP ZAP

💳 Payment Security

  • Stripe test keys in production bundles
  • Webhook signature verification
  • Missing pricing pages
  • Broken payment flows

🔐 Authentication

  • Rate limiting on login endpoints
  • Protected route validation
  • Session cookie security
  • OAuth configuration issues

Scanning Process

STARTER Scans (Free)

Passive analysis only. We inspect HTTP headers, analyze page content, and check for exposed files. No active probing or payload injection. Typically completes in 10-15 seconds.

DEEP Scans (Paid)

Includes everything in STARTER plus active security testing: rate limit probes, authentication tests, IDOR checks, and OWASP ZAP injection testing. May take 60-120 seconds.

Rate Limits & Safety

  • Default 2 requests/second to any domain during scanning
  • Burst to 10 req/s only during rate-limit tests (limited to ~30 requests total)
  • Maximum 1 scan per domain per hour regardless of plan
  • Hard timeouts: 30s (Free), 120s (Builder), 300s (Pro)
  • Auto-backoff on 429/503 responses or slow response times

Privacy & Data Handling

We do NOT store:

  • Full response bodies from your application
  • Complete API keys or secrets
  • Session tokens or user data
  • Stack traces or error details

We DO store:

  • Redacted evidence snippets (e.g., "sk_live_...R8F9")
  • SHA-256 hashes of responses for reproducibility
  • Request metadata (URL, status code, timing)
  • Scan consent records with timestamp and IP

Questions or Concerns?

If you have questions about our scanning methods or believe your domain was scanned without authorization, contact us immediately: