Frequently asked questions

Yes. SurfaceCheckr is a passive external tool. It reads only what your site already serves publicly: HTML, response headers, linked JavaScript, the TLS handshake, public DNS records, and a fixed list of well-known sensitive paths. It never authenticates, never sends attack payloads, never POSTs, and never extracts user data. There is more detail on the scanner info page.

No. You enter a domain and we read what it already serves to any visitor, the same way a browser would. There is nothing to install, no agent, and no account. We never publish a grade for a domain whose operator hasn't asked: results are visible only to whoever has the unguessable /r/<id> URL.

A scan finishes in under a minute. The crawler caps each scan at 50 pages, 60 seconds, and 2 requests per second per host, and honours robots.txt Disallow paths (we report that they exist, but we don't crawl into them).

No. It tells you what an attacker can see from outside, not what they can break. It does not test authenticated routes, business logic, XSS, SQL injection, IDOR, or anything POST-based. Think of it as the first thing an attacker checks, surfaced before they do.

You have two ways to opt out:

1. Email [email protected] from any address at the domain. We honour opt-outs within 24 hours.
2. Publish a file at /.well-known/surfacecheckr-optout whose body contains the line surfacecheckr-optout. We respect this immediately.

To recognise our traffic, look for a self-identifying User-Agent containing SurfaceCheckrScanner. Full details are on the scanner info page.

The free report shows your grade, the issue count, and the severity and plain-English impact of each finding, what an attacker could do. It deliberately does not name the finding, because a free report that named the exact open bucket or leaked key would let anyone with the link act on it. Paying unlocks the specifics: every finding's title, the exact path or location, and how to fix it. You can see the difference on the demo report.

On any report page, verify an email at the scanned domain (so only someone at the domain can read its findings), then pay. A one-off unlock is $49; a monthly subscription is $9/month and adds monthly re-scans and change alerts. Both unlock the same full report; the subscription keeps it current.

Yes. Each report lives at its own private URL of the form /r/<id>that you can share with your team or hand to a client. The link is unguessable, so it's only seen by people you send it to. Unlocked reports can be exported to PDF, and an embeddable grade badge is available (the badge shows the scan month so an embedded grade can't read as more current than it is).

A one-off report captures your site at one moment. After 90days we stamp it “may be out of date” with a re-scan prompt, because security posture changes. You never lose access, the findings you paid for stay visible; the stamp is only a freshness caveat. Monthly subscribers don't see it, because the monthly re-scan keeps their report current.

There are two ways, one automatic and one on demand:

• Automatic. The monthly subscription re-scans the domain every 30 days, compares the new findings with the last set, and emails you when something changes (new or resolved issues), with a link to the fresh report.
• On demand. Open your report at /r/<id> and click Re-scan now. It's free while your subscription is active. Each re-scan produces a new report URL; the old link keeps pointing at the old snapshot so shared links don't change underneath people.

Once per 24 hours per report. The limit applies across the whole report lineage, the original report and every re-scan descended from it, regardless of plan. If you've re-scanned in the last day, the button asks you to try again tomorrow.

Yes, for 30 days from purchase. A one-off unlock includes free re-scans for the first 30 days (the clock is measured from the original purchase, so re-scanning doesn't reset it). After that the report still stays unlocked, but to see current results you run a fresh scan of the domain, or subscribe to $9/month for ongoing re-scans and change alerts.

When a monthly re-scan finds a difference, we email the verified address on the subscription with how many findings are new, how many were resolved, and a link to the fresh report. If nothing changed, we don't email, so an alert always means something actually moved.

The one-off ($49) unlocks the full report for the scanned domain once and includes free re-scans for 30 days. The monthly ($9/month) unlocks the same report and then keeps it current: automatic re-scans every 30 days, change alerts when something moves, and free manual re-scans for as long as it's active.

Lemon Squeezy processes the payment as the merchant of record. That means your contract of sale for the transaction is with Lemon Squeezy, and they collect any VAT or sales tax that applies in your country, so the price you see at checkout is the tax-handled price. The charge on your statement references Lemon Squeezy. Full detail is in our terms.

Cancel any time through Lemon Squeezy (the receipt email and your Lemon Squeezy account both link to the management page), or email [email protected]and we'll help. Cancelling stops future re-scans and renewals; it does notretroactively lock a report you've already unlocked. You keep access to the findings you paid for.

Yes. Request a refund within 14 days of purchase by emailing [email protected] or contacting Lemon Squeezy directly. Refunds are processed by Lemon Squeezyback to your original payment method. A refund or chargeback re-locks the report (you're refunded for it, so access is removed), though we keep the findings stored so a re-purchase restores access without a fresh scan. This doesn't affect any statutory cancellation rights. See the refunds section of our terms.

We send transactional email, your verification code and your unlock receipt, and, if you ran a scan but didn't unlock it, a short series of follow-ups about that report. Every follow-up carries a one-click unsubscribe link; clicking it stops the follow-ups immediately and reports you've already unlocked stay available. Transactional mail (codes and receipts) is always sent because you asked for it.

We store the report itself, the grade, the findings, and the scanned target, at its unguessable URL, plus the email you verified if you unlocked or subscribed. We never log into your site, never POST, and never read user data; everything in a report is drawn from what your site already serves to the public. Our full privacy policy has the detail.

The report URL is an unguessable UUID, so it isn't discoverable, only someone you send the link to can open it. And the free view never names a finding or a path, so even a shared link reveals only severity and impact, not where the issue is. Unlocking the specifics requires verifying an email at the domain.