Scanner & Bot Policy

What the scanner does

When a user submits a URL, the scanner fetches publicly accessible pages and files at and around that URL. The scan is read-only. It does not log in, bypass paywalls, exploit vulnerabilities, or run intrusive tests.

Typical requests during a scan: the submitted URL, common public files (robots.txt, sitemap.xml, llms.txt, llms-full.txt, .well-known resources where required, manifest files), a small sample of pages linked from the submitted URL where checks need it, HTTPS metadata, redirects, response headers, and DNS lookups through public DNS-over-HTTPS resolvers.

What the scanner does not do

The scanner does not attempt to authenticate, register, complete a checkout, or solve any challenge that requires identity, ownership, or human interaction beyond a Turnstile-style abuse check on the requester’s side. It does not bypass paywalls, age gates, or geo-restrictions, and it does not exploit known or suspected vulnerabilities. It emits only HEAD and GET requests, and strips outbound Cookie, Authorization, and Proxy-Authorization headers.

How to recognise the scanner

Our scanner identifies itself by appending an "IsItReadyBot" token to a real Chrome User-Agent envelope. The substring IsItReadyBot/1.0 is stable. Every fetch points at https://isitready.dev/bot.

Cryptographic verification: every outbound fetch is signed under the IETF Web Bot Auth draft (HTTP Message Signatures, RFC 9421). Our public Ed25519 signing key is published at /.well-known/http-message-signatures-directory on isitready.dev.

We do not publish a list of egress IPs because the scanner runs on Cloudflare’s edge.

Robots.txt and meta directives

Use the token IsItReadyBot when writing rules. If your robots.txt disallows IsItReadyBot, we will not fetch additional public files from your site; the report shows a blocked-scan finding instead. We treat robots.txt as binding for IsItReadyBot, not as a courtesy.

We respect User-agent: * for non-essential crawling and X-Robots-Tag: noindex / <meta name="robots" content="noindex"> as instructions to suppress public-directory listing of the URL.

How to remove a public report

Email abuse@kordu.gg from an address on the domain in question with the report URL or report ID. We treat email from a verified domain address as evidence that you control the domain. Where domain email is not available, send a legal notice to legal@kordu.gg with proof of control of the domain (for example, a letter on company headed paper or a statement from your registrar).

When we remove a report we delete the cached report and the public reports directory entry. If you also want us to suppress future scans of the same hostname, say so in your removal request and we will use reasonable measures, including User-Agent blocking and removing any new public report we observe, to honour the request.

We are working on a verifiable opt-out token (DNS TXT record at _isitready-removal.<your-domain>, or a meta tag, or /.well-known/isitready-removal.txt). When that mechanism is live, this page will be updated and an entry added to the changelog. Until then, please use email or a legal notice.

We aim to action valid removal requests within 5 working days. Where the request is credible on its face but pending verification, we temporarily unindex the report on the same working day.

Crawl rate

The scanner is intentionally light. We cap requests per scan, pace requests with a short delay where appropriate, back off on repeated 429 / 503 signals, and avoid concurrent re-fetching of identical resources within a scan.