Do not publish exploit details, credentials, private data, or a working attack. Send a concise report to siddharth.sudhir77@gmail.com.
Security boundary
SiteGuard Lite accepts a public HTTP or HTTPS URL and performs a small number of server-side requests. Security-sensitive areas include URL parsing, DNS resolution, private-address detection, redirect validation, TLS inspection, response-size limits, concurrency, rate limiting, parsing, report export, and error handling.
Service protections
The application rejects private and reserved network destinations, restricts supported protocols and ports, validates redirect targets, pins validated public addresses for outbound requests, limits response sizes, applies timeouts, caps link and image samples, and rate-limits repeated audits.
These controls reduce risk but do not make the service immune to every implementation flaw, deployment mistake, dependency issue, or new attack technique.
Testing intentionally excluded
The project must not be extended to perform credential testing, login attempts, account enumeration, exploit payloads, malware execution, unrestricted port scanning, private-network access, denial-of-service testing, aggressive crawling, or attempts to bypass authorization.
Report a vulnerability
A useful report includes the affected route or component, a clear description, safe reproduction steps, expected and actual behavior, potential impact, and a suggested mitigation when available.
Email a private security reportResponsible research rules
Test only a local instance, your own deployment, or an environment for which you have explicit permission. Do not access data that is not yours, degrade availability, retain private information, send automated high-volume traffic, or publicly disclose an issue before a reasonable remediation discussion.
Data handling
The application does not include a database for storing submitted URLs or completed reports. A report remains in the browser session unless the user exports it. Hosting providers, reverse proxies, rate-limit services, and infrastructure logs may still process technical request data according to the deployed environment.
Do not submit private intranet addresses, secret URLs, embedded credentials, access tokens, or sensitive query parameters.
Supported version
The latest maintained version of the project receives security fixes. Older copies and independently modified deployments may not contain current protections.