unpwned.io

What is unpwned.io?

A third-party automated security scanner for live web apps.

Unpwned.io is a security-scanning service that runs roughly 40 automated checks on any web application's public URL. The checks cover transport-layer security, DNS hygiene, security headers, common exposure patterns, and known-vulnerability fingerprints.

On SaaStore, sellers of Directory listings (apps hosted on the seller's own URL) can opt in to a free Unpwned scan during the upload flow. Results are reviewed by a SaaStore admin before any badge is published, so a low-quality scan never silently damages a listing.

What gets checked

A representative slice of the categories Unpwned looks at. The exact check list evolves; this is what the scan focuses on at a high level.

Transport security

  • -TLS / SSL certificate validity, expiry, and chain
  • -Cipher strength and protocol versions
  • -HSTS, redirect policies, mixed-content issues

DNS and infrastructure

  • -DNSSEC, SPF, DKIM, DMARC records
  • -Domain registrar lock and abuse contacts
  • -Common subdomain takeover patterns

Security headers

  • -Content-Security-Policy, X-Frame-Options, Referrer-Policy
  • -X-Content-Type-Options, Permissions-Policy
  • -Cookie flags (Secure, HttpOnly, SameSite)

Exposed surface area

  • -Leaked secrets, tokens, or API keys in HTML / JS
  • -Common admin paths and developer-tooling endpoints
  • -Verbose error pages or stack traces

Common vulnerabilities

  • -Open redirect patterns and known CVE signatures
  • -Outdated framework / library fingerprints
  • -Misconfigured CORS and CSRF defences

Operational hygiene

  • -robots.txt, sitemap.xml, and metadata sanity
  • -Public S3 / object-storage bucket exposure
  • -Privacy policy, terms, and contact reachability

For sellers

  • -Free third-party security signal you can show to buyers, no setup or hosting work required.
  • -When the scan passes admin review, your listing displays a "Scanned by unpwned.io" badge - a trust shortcut for buyers who don't know you.
  • -You receive the grade and the full findings list by email when your listing is approved.
  • -Entirely opt-in. Click the ninja icon in the URL field, or uncheck the consent box on the final wizard step, to skip it.

For buyers

  • -An "unpwned.io"-scanned listing means an independent scanner has looked at the seller's site for common security gaps.
  • -The badge is not a guarantee of security - it's a signal that the seller welcomed external review.
  • -Listings without the badge may still be safe; many sellers simply chose not to opt in.

Want to learn more?

Visit unpwned.io for the full check list and the latest additions.

unpwned.io