The breach403 scanner
How our scanner works, and how to recognize and reach us.
1. What breach403 is
breach403 is an automated external security scanner. A person asks it to check a website they operate, proves they control that domain, and receives a plain-language report of the exposures it found — leaked configuration files, missing security headers, outdated software, weak TLS or DNS settings, and similar misconfigurations. It exists so that non-experts can find these problems on their own sites before an attacker does.
2. Every scan is authorized by the site owner
We never scan a domain on a whim. Before any scan runs, the requester must prove they control the target domain by placing a unique token we issue as a DNS record, an HTML meta tag, or a file at a well-known path. We re-check that proof immediately before every scan, not just when the domain is first submitted. No proof, no scan. The requester also affirms, on the record, that they are authorized to have the domain security-tested.
Every check is passive and non-destructive (§3). If you are seeing our scanner on a domain you operate, it is because someone who proved control of it asked for the scan. If that is not you, and you believe the request was not authorized, see §5.
3. Every scan is non-destructive
The scanner only makes read-only or idempotent requests. It does not, and will not, attempt to cause a denial of service or slow your site down, modify or delete any data, exfiltrate data, exploit any weakness it detects (as opposed to safely detecting it), or submit credentials to any login form. Requests are rate-limited and time-bounded, and the scanner refuses to touch private or internal network addresses. This floor is absolute and is never relaxed.
4. How to recognize our scanner
Our requests are deliberately identifiable. In your logs you will see:
- User-Agent:
breach403-scanner/1.0 (+https://breach403.vercel.app/scanner) - Origin: requests come from short-lived, isolated cloud sandboxes (currently hosted in the United States) that we spin up for a single scan and tear down afterward. Because that address pool is shared and rotates, we identify our traffic by the User-Agent above rather than a fixed IP.
- Scope: only the verified domain and its subdomains. We never probe a parent domain, a sibling, or third-party infrastructure outside the boundary the requester proved they control.
5. If you believe a scan was not authorized
If you operate a domain and believe it was scanned without your authorization, or you want your domain added to a permanent block so it can never be scanned through this service, email us at legetdev@gmail.com with the domain and, if you can, the timestamp from your logs. We investigate every report and will block the domain on request. See also our Terms of Service and Privacy Policy.