What is VerifiedApp? Automated website security scanning + a trust badge, explained
What VerifiedApp is, in one sentence
VerifiedApp scans your website the way an attacker would look at it from the outside, checks what it finds against a large set of security rules, and turns the result into two things you can use: a clear report, and a public trust badge your customers can verify.
That is the whole idea. Security work usually stays invisible — you fix things and nobody ever sees it. VerifiedApp makes a clean site provable.
How a scan works
Three steps, no agent to install, no code to add:
- We crawl your public site. Pages, scripts, stylesheets, and the files that tend to leak — all on your own domain, nothing else (more on that below).
- We run our full rule set against what we collected — 140-plus checks today, and growing. Each rule is a single, specific check with its own severity and its own version, so a finding always points at one concrete problem and one concrete fix.
- You get a report and a badge. The report lists every check, what passed, what failed, and how to fix it. The badge is a compact, public proof you can embed on your site.
What the checks actually cover
The rules group into the places real sites get caught:
- Exposed secrets — API keys and tokens (OpenAI, Anthropic, Stripe, AWS, GitHub, Slack and more) hardcoded into pages or JavaScript bundles, plus database connection strings and private keys.
- Leaked files — a public
.env, an exposed.gitfolder, source maps,appsettings.json, SQL dumps, config backups. - TLS, certificates and ciphers — dead protocols, weak ciphers, expiring or mismatched certificates, broken chains. This is where we go deepest: dozens of rules most scanners skip entirely.
- Security headers — missing or permissive Content-Security-Policy, HSTS, X-Frame-Options, and the modern headers most sites forget.
- Cookies and CORS — session cookies without
HttpOnly/Secure/SameSite, and CORS rules that quietly expose your API. - Supply chain and fingerprinting — end-of-life frontend libraries and known-compromised npm packages.
- Frontend leaks — internal URLs, debug constants and source-map comments left in production.
Two ways to use it: Badge and Trust
Badge is an on-demand scan. You point us at your site, we scan it, you get the report and the badge that reflects that scan. Perfect for a launch check or a point-in-time proof.
Trust is the same scan running every day. Security drifts — a framework upgrade re-enables an unsafe setting, a build leaks a new file, a certificate creeps toward expiry. Trust re-scans daily, keeps the badge honest, and adds an extended trust profile plus AI-ready fix prompts for the issues that matter most.
Why we publish reports — even the red ones
A badge that can only ever say pass is marketing, not proof. Ours can show red. The verification report behind a paying customer's badge is public, so anyone can click through and see exactly what we checked and what the result was. That is the point: trust comes from being checkable, not from a green sticker you printed yourself.
Built for B2B, and built to respect privacy
VerifiedApp is made for companies that need to show customers their site is clean. It is privacy-respecting by design: we only ever touch your own domain — we never actively probe third-party services like your cloud storage or your database host — and we never store the plaintext of a secret we find. A finding records a masked form and a hash, never the live value.
See your own report
The fastest way to understand VerifiedApp is to run it. Scan your site, read the report, and see which checks your stack passes today.