Acceptable Use Policy

Last updated: February 19, 2026

Security Checker is a passive security analysis tool. This policy defines what you may and may not do with the Service. Violations result in immediate account termination.

You May Only Scan

  1. Web applications that you own
  2. Web applications for which you have explicit written permission from the owner to perform security testing

You May NOT

  • Scan applications without authorisation. Unauthorised scanning may violate the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, or equivalent laws in your jurisdiction.
  • Use the Service to conduct actual attacks. Security Checker performs passive analysis only. Do not use scan results as a starting point for active exploitation of applications you do not own.
  • Use scan results to exploit vulnerabilities. If you discover a vulnerability in an application you do not own, report it to the application owner through responsible disclosure.
  • Scan government, military, or critical infrastructure systems unless you are an authorised employee or contractor performing sanctioned security testing.
  • Resell or redistribute scan access without an Agency subscription.
  • Use automated scripts to bulk-scan URLs without an Agency subscription and written approval from Security Checker.
  • Attempt to circumvent rate limits or abuse the free tier through multiple accounts, IP rotation, or other means.
  • Reverse engineer, decompile, or extract the scanner's detection logic or methodology.

What Our Scanner Does

For transparency, here is exactly what our scanner does when you submit a URL:

  1. Loads the page in a headless browser (Chromium) and records network requests
  2. Downloads publicly accessible JavaScript bundles
  3. Searches JavaScript content for patterns matching known API key formats
  4. If a Supabase project is detected, tests whether tables are accessible with the public anon key
  5. Checks HTTP response headers for security-relevant headers
  6. Sends OPTIONS requests to test CORS configuration
  7. Tests discovered API endpoints with unauthenticated GET requests
  8. Checks SSL/TLS certificate validity and configuration

All requests are made with a clearly identified user agent: SecurityChecker/1.0. We do not attempt SQL injection, XSS, authentication bypass, or any form of active exploitation.

Reporting Violations

If you believe someone is using Security Checker to scan your application without authorisation, contact us at abuse@securitychecker.dev with:

  • The URL being scanned
  • Evidence that you are the owner or administrator
  • Any relevant access logs showing the scan

We will investigate and take appropriate action, including terminating the offending user's account.

Liability

Security Checker is not liable for any unauthorised scanning performed by users of the Service. Users are solely responsible for ensuring they have proper authorisation before initiating any scan.

Contact

Questions about this policy? Email us at support@securitychecker.dev.