How the public scanner works

The free GRC Oversight scanner performs only passive, browser-equivalent checks. This page is the policy URL our scanner's User-Agent advertises — here's exactly what it does and doesn't do.

Run a scan Our security posture

What it does

Passive, browser-equivalent checks only

A scan loads your site one time, the way a normal browser does on a first visit, plus a few public-record lookups. It does not crawl, brute-force, fuzz, or attempt to authenticate.

Checks we perform

TLS / certificate inspection — a direct TLS connection to your host to read the certificate and negotiated protocol (graded against public references like SSL Labs).
HTTP security headers — analysis of the response headers from the single page load (HSTS, CSP, X-Content-Type-Options, etc.), scored with a Mozilla Observatory-style model.
DNS hygiene — public DNS record lookups (SPF, DMARC, DKIM hint, CAA, DNSSEC). These query public DNS, not your site.
Cookies & consent — inspection of cookies set during the single page load and detection of a consent banner.
Exposure checks — a single GET to a few well-known sensitive paths (/.git/config, /.git/HEAD, /.env) and a check for /.well-known/security.txt. Confirmed by content sniffing, not just a 200.
Accessibility — axe-core runs against the already-loaded page DOM and sends no additional network traffic.

What it never does

No crawling, spidering, or directory/path brute-forcing.
No port scanning, vulnerability exploitation, fuzzing, or injection attempts.
No login attempts and no submitting of forms.
No traffic to internal, private, or loopback hosts — targets that resolve to private addresses are refused (SSRF guard).
No load beyond what a normal browser generates visiting a single page, plus a handful of bounded single-GET requests.

Identifying us

Published User-Agent

Every request the scanner makes carries an identifiable User-Agent that links back to this policy page:

GRCOversightScanner/1.0 (+https://grcoversight.com/scanner-policy; passive browser-equivalent checks only)

The single-GET exposure checks also send this User-Agent and honor your server's responses (a redirect to a login or home page is treated as not-exposed).

Volume

Rate limits

The scanner is rate-limited to keep load minimal and prevent abuse. Limits are enforced per source IP and per target host.

Per source IP

Up to 5 scans per minute from a single client IP. Requests over the limit are rejected with a retry-after.

Per target host

At most 2 scans per minute against the same host, so no single domain is hammered.

Opting out

Request exclusion

If you do not want your site scanned, contact us and we will exclude it. Because the scanner only runs on demand and stays within browser-equivalent traffic, it should never impact a healthy site — but we will honor exclusion requests.

Email us at

security@grcoversight.com

See what the scanner finds

Get a guided demo, or start by scanning any domain for free.

Get a demo Run a free scan