NANOTESTING

Security and authorization

Safe scanning rules, written down.

Nano Testing only assesses systems you own or are authorized to test. Every scan is read-only and rate-limited. The worker repeats target safety validation before any request leaves the network.

What we run

  • URL validation and DNS resolution
  • Public IP safety check before any request
  • HTTP and HTTPS availability
  • TLS certificate basic checks
  • Redirect behavior review
  • Security headers review
  • robots.txt and sitemap.xml discovery
  • Passive technology fingerprint from response headers
  • Safe-mode existence check for common sensitive paths

What we never do

  • OWASP ZAP, nuclei, or other aggressive scanners on public preview
  • Crawling, deep path discovery, or directory brute force
  • Form submission, payload injection, or SQL/XSS/CSRF testing
  • Authenticated checks without explicit account scope
  • Port scanning or subdomain enumeration
  • High-volume requests against a target
  • Destructive checks of any kind
  • Scans of private IP ranges, localhost, or metadata endpoints

Authorization policy

Full scans require verified ownership of the target by DNS TXT record or HTML file. Public previews are limited to passive checks and rate-limited to one scan per IP per 30 days. Registered free users get one limited scan per day. By using Nano Testing you confirm that you have the right to test the systems you submit.

Privacy

Public visitor IPs are hashed with a server-side salt before any persistence. Raw scan output is never exposed to anonymous users.

Storage

Reports and raw outputs live in Supabase Storage with strict bucket policies and signed URLs for authorized downloads.

Isolation

Scans execute in a dedicated Go worker outside the SaaS control plane. The worker enforces timeouts, IP safety, and rate limits.