Frequently asked questions
How HatTest works, what it checks, and how pricing and ownership verification fit together.
What does HatTest do?
It scans your website — or the API / database backend behind your app — for things an attacker can already reach from the outside: leaked privileged keys and publicly-readable backend data. You get a free severity scoreboard; the full findings sit behind a one-time payment and proof you own the site.
Is the scan safe? Will it affect my site?
Yes, it's safe. The scan is strictly passive recon — we read what your site already serves to the public. We never run code on your site, never log in, and never write data.
What exactly do you check for?
Two things today: (1) leaked privileged keys — a Supabase service_role or secret API key shipped to the browser, which hands an attacker your whole database; and (2) publicly-readable backend data — tables that answer an anonymous request with data they shouldn't. We classify keys by role, so public, client-safe keys are never flagged. Deeper authenticated RLS-efficacy testing is in active development.
What types of sites is HatTest designed to scan?
It's sharpest on apps that reach a database or API straight from the browser or a mobile client — where one backend misconfiguration leaks in public. Best fit: apps built on a backend-as-a-service (Supabase, Firebase, PocketBase, Appwrite, AWS AppSync, Nhost); single-page apps (React, Vue, Angular, Svelte) calling a public REST or GraphQL API; and mobile or desktop app backends, where you can paste the API base directly. It also runs on any website — WordPress and CMS sites get known-CVE version and plugin checks, and every site is checked for leaked keys in JavaScript, exposed files like .env or .git, and open S3 / GCS / Azure buckets. Sites fully behind a login wall or an aggressive bot-wall may come back as an honest “scan incomplete” rather than a guessed verdict.
Why is the scoreboard free but the details cost money?
The free scoreboard shows how many issues and how serious — but no exploitable detail. Revealing the actual findings for a site to anyone who pays would make us a vulnerability-lookup service for attackers. So the details are released only after you prove you own the domain. You pay for the report; ownership is what makes it safe to show.
How much does it cost?
$100, one-time, per report. The scoreboard is free on any URL.
Why do I have to verify domain ownership?
So we only ever hand exploitable details to the site's actual owner — not to someone targeting you. You prove ownership with a meta tag on your homepage or a DNS TXT record (your choice).
When am I actually charged?
Your card is authorized when you pay, but only charged after ownership is verified. If you can't verify the domain, the authorization is released and you're not charged — so we never bill for a report we can't deliver.
Can I scan a site I don't own?
You can run the free scoreboard on any URL. But the full report — the actual findings and evidence — requires proving you own that domain.
What's in the full report?
Every finding with its evidence and a plain-English explanation of the risk. Evidence is redacted to prove the finding without exposing the live secret.
Do you store my scan or its findings?
Findings metadata and encrypted evidence are kept only to serve your report, and are automatically deleted after 30 days.
Is this a full penetration test?
No. It's automated, passive security recon focused on a few high-impact exposures. It's a fast, cheap first look — it complements, but doesn't replace, a human-led penetration test. We never claim a site is “secure.”
Still have a question? Contact us or email support@hattest.ai.