
What is unpwned.io?
A third-party automated security scanner for live web apps.
Unpwned.io is a security-scanning service that runs roughly 40 automated checks on any web application's public URL. The checks cover transport-layer security, DNS hygiene, security headers, common exposure patterns, and known-vulnerability fingerprints.
On SaaStore, sellers of Directory listings (apps hosted on the seller's own URL) can opt in to a free Unpwned scan during the upload flow. Results are reviewed by a SaaStore admin before any badge is published, so a low-quality scan never silently damages a listing.
What gets checked
A representative slice of the categories Unpwned looks at. The exact check list evolves; this is what the scan focuses on at a high level.
Transport security
- -TLS / SSL certificate validity, expiry, and chain
- -Cipher strength and protocol versions
- -HSTS, redirect policies, mixed-content issues
DNS and infrastructure
- -DNSSEC, SPF, DKIM, DMARC records
- -Domain registrar lock and abuse contacts
- -Common subdomain takeover patterns
Security headers
- -Content-Security-Policy, X-Frame-Options, Referrer-Policy
- -X-Content-Type-Options, Permissions-Policy
- -Cookie flags (Secure, HttpOnly, SameSite)
Exposed surface area
- -Leaked secrets, tokens, or API keys in HTML / JS
- -Common admin paths and developer-tooling endpoints
- -Verbose error pages or stack traces
Common vulnerabilities
- -Open redirect patterns and known CVE signatures
- -Outdated framework / library fingerprints
- -Misconfigured CORS and CSRF defences
Operational hygiene
- -robots.txt, sitemap.xml, and metadata sanity
- -Public S3 / object-storage bucket exposure
- -Privacy policy, terms, and contact reachability
For sellers
- -Free third-party security signal you can show to buyers, no setup or hosting work required.
- -When the scan passes admin review, your listing displays a "Scanned by unpwned.io" badge - a trust shortcut for buyers who don't know you.
- -You receive the grade and the full findings list by email when your listing is approved.
- -Entirely opt-in. Click the ninja icon in the URL field, or uncheck the consent box on the final wizard step, to skip it.
For buyers
- -An "unpwned.io"-scanned listing means an independent scanner has looked at the seller's site for common security gaps.
- -The badge is not a guarantee of security - it's a signal that the seller welcomed external review.
- -Listings without the badge may still be safe; many sellers simply chose not to opt in.
Want to learn more?
Visit unpwned.io for the full check list and the latest additions.