Every scan on Leaked requires explicit authorization from the person submitting the URL. This page explains exactly what our scanner does — and what it never does.
Some checks send crafted requests to live endpoints. These include:
—Sending test requests to measure rate limiting behaviour
—Querying publicly-exposed database APIs using credentials already embedded in your app's public JS bundle
—Attempting to access common protected routes without authentication tokens
—Verifying webhook handler patterns in bundle code
No vulnerabilities are exploited. No data values are extracted or stored — only metadata such as row counts and column names.
What we never do
✕Exploit vulnerabilities found during scanning
✕Store, display, or transmit actual user data from scanned apps
✕Share findings with third parties
✕Scan any URL without explicit owner authorisation
✕Retain evidence data beyond 30 days
✕Store full API keys — only truncated form (first 6 + last 4 characters)
Authorization requirement
Every scan — free or paid — requires the submitter to confirm: "I own or am authorized to scan this URL." No scan fires without this confirmation. By submitting a URL you confirm ownership or authorization to scan that domain.
Contact
Opt out
Email optout@getleaked.dev with your domain. We will never scan it again.
Misuse
Email security@getleaked.dev to report misuse of Leaked's scanner.