The ScriptPatrol scanner
ScriptPatrol runs an automated, read-only scanner that checks web pages for client-side security problems — unauthorised JavaScript changes and weakened security headers. If you reached this page from a User-Agent in your access logs, here is everything your security and network teams need to identify it, let it through cleanly, or block it.
Scanner identity
ScriptPatrol/1.0 (+https://scriptpatrol.com/bot)The token we add so you can recognise legitimate scans in your access logs. Match on the “ScriptPatrol/1.0” token rather than the whole string. A User-Agent is spoofable, so treat it as a recognition aid — pair it with the IP or the header below for an actual allow decision.
X-ScriptPatrol-VerifyA per-site secret we send on every scan so you can identify us independently of IP. The value is unique to your site and generated in your dashboard — this is the most robust way to recognise us.
How the scanner behaves
Predictable, observable, and safe by design. What it does — and the things it will never do.
Read-only, always
The scanner issues read-only GET requests. It never submits forms, completes a purchase, creates an account, or changes anything on your site. The one exception is an optional sign-in — and only on a site whose owner has explicitly configured credentials for an authenticated page they want monitored.
Inspects, does not copy
It loads the page the way a browser does — executing JavaScript — so it can see the scripts and security headers that actually run. It records each script’s URL, SHA-256 hash and a short preview (up to 5 KB) — never the full source of your third-party code, and never visitor data.
Scheduled and polite
Scans run on a schedule rather than continuously, and the scanner rate-limits itself per domain. It is built to be a quiet, predictable visitor — not a load on your origin.
A security tool, on request
ScriptPatrol watches the client-side layer for unauthorised JavaScript changes and weakened security headers — used by site owners to monitor their own pages, and to produce client-side security assessments.
Letting us through cleanly
If a WAF or bot-management rule challenges or blocks the scanner, your monitoring can show gaps. To allow legitimate scans while everything else stays protected, use either lever — the rule is “IP or header”, so one is enough:
- Recommended — the secret header. Allow any request carrying
X-ScriptPatrol-Verify. It is fixed per site and independent of our IP. - Or your egress IP. We provide your site’s current scanner egress IP in your dashboard, and share it with your security team on request. It is a shared address that can change, so the header above is the more reliable lever.
Monitoring a site you own? Your dashboard generates your token and egress IP, a ready-to-paste Cloudflare rule, and a one-click verify check under Settings → Scanner Access.
If you would rather we did not
We are a security tool and have no interest in scanning a site whose owner does not want us there. You can stop the scanner at any time:
- The surest way is to tell us. Email [email protected] and we will stop scanning your domain.
- You can also block our egress IP or User-Agent token at your edge.
Questions from a security or network team?
We are happy to confirm any of the above in writing, or to work through your specific edge configuration. Real people answer.