How Scanning Works
How the Web Scanner discovers pages, how often it scans, and how it stays within your domain scope.
How Scanning Works
Use this page to understand how the Web Scanner discovers and scans your pages, how often it runs, and what to expect from each scan.
What happens on a scan
When you add a URL to the Web Scanner, it:
- Performs an initial scan of the homepage and a few additional linked pages to get started.
- Scans pages from multiple sources on an ongoing basis:
- Links discovered during crawling
- URLs found in any discovered sitemaps
- Detects third-party scripts on each page it visits.
- Scans script and stylesheet content for privacy-sensitive keywords such as ad platform identifiers, tracker brands, and data collection patterns (see What the scanner detects).
- Analyzes Content Security Policy (CSP) headers from each hostname to identify gaps in your site's security configuration (see What the scanner detects).
- Collects cookies and localStorage identifiers set by third-party scripts and services on your website.
Domain scope
The scanner follows a hierarchical domain rule so it only crawls pages within your control:
- If you configure
example.com, it will crawlexample.com,app.example.com,blog.example.com, etc. - If you configure
app.example.com, it will only crawlapp.example.comand its subdomains, NOTexample.com. - It will not follow links to completely different domains outside your organization's control.
What to expect
- Scans run on a regular schedule, with no manual trigger needed.
- Pages are discovered through crawling links found on each page.
- Only publicly accessible pages on your domain will be scanned.
Limitations
- While the scanner makes a best effort to detect all third-party scripts, we recommend verifying results with your IT team for full visibility.
- The scanner is intended for general monitoring. It should not be relied on as a full security audit or compliance certification.
Next Steps
How is this guide?