Scanning Policy
Last updated: 30 May 2026
This page explains how Hexora's vulnerability scanner works, what it does and does not do, and how to contact us if you have concerns.
What Hexora does
Hexora performs automated, non-intrusive security checks against publicly accessible websites. Users submit URLs of websites they own or are authorised to scan, and we return a report of potential security misconfigurations.
What our scans check
- SSL/TLS certificate configuration
- HTTP security headers
- Cookie security attributes
- CORS misconfiguration
- DNS and email security (SPF, DKIM, DMARC)
- Technology stack fingerprinting
- Exposed secrets in public responses
What our scans do not do
- Attempt to exploit any vulnerability
- Perform brute-force attacks, SQL injection, cross-site scripting, or any payload-based attacks
- Access, modify, or delete data on target systems
- Scan internal or private systems
- Bypass authentication or firewalls
- Perform denial-of-service or load testing
Our scans are equivalent to what a web browser does when visiting a website.
How to identify our traffic
Requests from Hexora include a user-agent string containing "Hexora Security Scanner." If you see this in your server logs, it means a user of our service has submitted your URL for scanning.
Authorisation
Our Terms of Service require users only scan websites they own or have explicit authorisation to scan.
If you want us to stop scanning your site
If you would like to exclude your website from Hexora scans, email abuse@hexora.uk with the domain you want excluded. We will add it to our block list within 24 hours.
Reporting concerns
- Abuse reports: abuse@hexora.uk
- Security issues with the Hexora service itself: security@hexora.uk
We respond to all reports within 24 hours on business days.
Responsible disclosure
If you discover a vulnerability in Hexora itself, report it to security@hexora.uk. We do not pursue legal action against researchers acting in good faith.