[helb]

It says that "Your website is BORDERLINE UNSAFE" after a while even if you leave the account form blank and just keep the page opened in a background tab.

Better yet, it probably does that for any URL – see c8g's comment about Google, i've tried HN and a few of my own sites, all with the same results. Even tried to give it it's own address, but it "is not permitted".

So I thought that maybe it just displays that message after some timeout without doing any actual checks, bit like these sketchy fake antivirus sites. But nope – when i point it to a subdomain with access_log enabled, i see it actually makes a bunch of requests. So maybe they just have such high standards that the entire web is "borderline unsafe" from their point of view.

[borski]

The scan we run from the homepage is a rudimentary scan that only scans for client-side vulnerabilities, since we can't scan for server-side issues until you've verified ownership. As a result, we can't give you a clean bill of health until you've run a full scan, which is why you see that. If you verify ownership, you'll see any issues we found and be able to run a full scan which can give you a clean bill of health if it doesn't find anything.

[nickpsecurity]

I'm not using your app but I assume it's not as clear as your comment based on upthread posts. You might want to modify the app to show both client and server side results with server saying "unknown: must verify ownership first." That would eliminate the confusion.

[borski]

This is good feedback. Thanks.

[marcosdumay]

It's a company entirely focused on web security.

Even with no conflicts of interest at all, it's obvious that they would have higher security standards than anybody else out there.