Scanner Information
Transparency page for how DomainOptic scans domains for security issues.
Passive Scanning (All Users)
Our core tools perform passive analysis: we fetch publicly accessible content the same way a browser or search engine crawler does.
- SSL/TLS: certificate validity and expiration
- DNS: SPF, DKIM, DMARC, DNSSEC, and other records
- Headers: HSTS, CSP, and other security headers
- Reputation: blacklist checks across multiple services
- Secrets: pattern matching on publicly served JavaScript files
We do not bypass authentication, submit forms, inject payloads, or modify target systems.
This is informational scanning only. A clean result does not guarantee security, and a finding is not proof of an exploitable vulnerability. Always verify findings independently and follow your organization's policies and applicable law.
Active Scanning (Pro Only: Ghost API Hunter)
Ghost API Hunter performs active probing for a small set of high-risk paths (e.g. /.env, /.git/config, /actuator/env, /swagger) to detect accidental exposure.
Active scanning requires verified domain ownership via DNS TXT record.
If your organization needs stricter boundaries, treat active scanning like any other authorized security testing: run it only against assets you own or have explicit written permission to assess, and coordinate scans during approved windows.
Rate limiting
- 3 concurrent requests per batch
- 800-1200ms delay between batches
- Adaptive backoff on 429/503 responses
- Hard cap of 55 total requests per scan
Identification
We identify scans using a clear User-Agent string that links back to this page.
DomainOptic Security Scanner/2.0 (https://domainoptic.com/scanner-info/; authorized-scan)
If you run a server and see this User-Agent, it indicates a scan initiated by a DomainOptic user. Active scans require domain ownership verification in the product.
Opt-Out
Domain owners who wish to be excluded from scans can contact brenbuilds@protonmail.com.
When requesting opt-out, include the root domain and any relevant notes (e.g., preferred contact, specific paths you want avoided). We maintain an exclusion list and apply it to passive scanning targets.