Security at Scam Checker

Last updated: 2026-05-29.

Scam Checker is open-source and built privacy-first. This page summarises the protections we apply, what we deliberately do not do, and how to report a vulnerability.

1. Privacy-first design

• Scam-check analysis runs in your browser. The text you paste, the messages you screenshot, and the PDFs you upload never leave your device.
• Community scam reports persist only the masked value plus a salted hash of the reporter's IP for rate-limit. Raw IP addresses are never stored.
• Public report rendering masks emails, phone numbers, and URL paths so personally-identifiable details aren't exposed. See the privacy policy for the full list.

2. Defence-in-depth redaction

The /api/report handler scrubs report bodies BEFORE the row hits the database. The public read path (/reports) re-scrubs at display time so any legacy row also renders masked. Common patterns we redact: email addresses, phone numbers, 13–19-digit card numbers, CVV-shaped triples, OTP / 2FA codes, "password is…" phrases, US SSN-shape numbers, Australian TFN / Medicare-shape numbers, and JWT-like tokens.

3. Security headers

Every page served from scamchecker.app sends:

• Strict-Transport-Security — HSTS with 2-year max-age and includeSubDomains.
• Content-Security-Policy — explicit allowlist for script and style sources. Inline scripts are limited to the JSON-LD and analytics-init blocks.
• X-Content-Type-Options: nosniff.
• X-Frame-Options: DENY + CSP frame-ancestors 'none'so we can't be embedded in clickjacking frames.
• Referrer-Policy: strict-origin-when-cross-origin.
• Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=() — we don't use any of these.

4. API hardening

• Input length limits: value ≤ 500 chars, notes ≤ 1000 chars, allowed type enum enforced server-side.
• Rate limit: 10 report submissions per hour per salted-IP-hash. Beyond that the API returns 429.
• Honeypot field on the submission form — bots that fill hidden fields get a fake success and no database write.
• All errors logged as the error class only — the request body is never written to platform logs.

5. What we don't do

• No advertising cookies, no retargeting pixels.
• No user accounts, no email/password storage.
• No newsletter list. We don't collect emails to send you anything.
• No internal AI prompt is exposed in client HTML — scripts/check-seo-hygiene.mjs enforces this as part of CI.

6. Responsible disclosure

If you've found a security issue, please report it via the responsible disclosure page. We accept good-faith research that does not access other users' data, does not damage service, and does not run destructive payloads.

7. Limitation

Scam Checker is a free privacy-first tool. We can't guarantee zero risk on a complex web platform — but we practise defence-in-depth, minimise data, and disclose what we collect openly. This page is engineering practice, not a legal warranty. See the disclaimer and terms.