Skip to content
NANOTESTINGNANOTESTING

Security and authorization

Safe scanning rules, written down.

NANOTESTING only assesses systems you own or are authorized to test. Every scan is read-only and rate-limited. The worker repeats target safety validation before any request leaves the network.

The boring truth most scanners hide

An aggressive scanner can take down your production faster than a human reviewer ever could.

Form-fuzzers fire SQL payloads at every input they find. A single well-meaning “SSRF probe” against an internal dashboard can spawn 200 jobs, fill a queue, and brown out your staging cluster before lunch. We've built NANOTESTING to be the opposite of that — read-only, rate-limited, and boring enough to run on a live customer site without a phone call.

What we run

  • URL validation and DNS resolution
  • Public IP safety check before any request
  • HTTP and HTTPS availability
  • TLS certificate basic checks
  • Redirect behavior review
  • Security headers review
  • robots.txt and sitemap.xml discovery
  • Passive technology fingerprint from response headers
  • Safe-mode existence check for common sensitive paths

What we never do

  • OWASP ZAP, nuclei, or other aggressive scanners on public preview
  • Crawling, deep path discovery, or directory brute force
  • Form submission, payload injection, or SQL/XSS/CSRF testing
  • Authenticated checks without explicit account scope
  • Port scanning or subdomain enumeration
  • High-volume requests against a target
  • Destructive checks of any kind
  • Scans of private IP ranges, localhost, or metadata endpoints

Authorization policy

Full scans require verified ownership of the target by DNS TXT record or HTML file. Public previews are limited to passive checks and rate-limited to one scan per IP per 30 days. Registered free users get one limited scan per day. By using NANOTESTING you confirm that you have the right to test the systems you submit.

Privacy

Public visitor IPs are hashed with a server-side salt before any persistence. Raw scan output is never exposed to anonymous users.

Storage

Reports and raw outputs live in encrypted object storage with strict bucket policies and signed URLs for authorized downloads.

Isolation

Scans execute in a dedicated Go worker outside the SaaS control plane. The worker enforces timeouts, IP safety, and rate limits.

Terms

NANOTESTING is provided as-is for authorized security testing of systems you own or have explicit permission to assess. Automated findings should be validated by a qualified reviewer before acting on them; the Verified plan adds an internal review pass. Paid plans renew on a monthly cycle unless cancelled from the billing portal; the Verified report is a one-time deliverable. We may suspend accounts that submit targets they do not control.

Acceptable use

Run scans against your own targets or those you are authorized to assess. Do not submit private IP ranges, localhost, metadata endpoints, third-party infrastructure without permission, or any system covered by a no-test order. Abuse, including attempts to evade rate limits or run scans on behalf of unauthorized parties, will result in account termination and may be reported.

Status

The marketing site, dashboard, and worker are monitored through uptime health checks against every public surface. For incidents that affect scanning or billing, watch the in-app banner on the dashboard. A dedicated status page is on the roadmap.