Skip to main content

Public Scanner — UX and APIs

Last updated: 2025-09-14

The Public Scanner lets anyone scan a web page (with optional GPC) to quickly assess security headers, cookie flags, redirect behavior, and new third‑party hosts. Results can be stored (sanitized) to build a simple history by domain.

Where to find it

  • Portal route: /scanner
  • No login required
  • Controls: Target URL, GPC toggle, Health “Via Registry” check. Advanced: capture Screenshot/Trace.

Interpretation

  • Shows URL, Final URL, Status, Duration
  • Redirect chain (collapsible)
  • Headers section:
    • Present header chips (HSTS, CSP, Referrer-Policy, X-Content-Type-Options)
    • Issues list with MDN links for remediation
  • Cookie issues: client‑side cookies (not HttpOnly), third‑party without SameSite=None, __Secure-/__Host- prefix rules, HSTS on HTTPS
  • New third‑party hosts: list of registrable domains observed post-consent that were not observed pre-consent

Health

  • Click “Via Registry” to call the Registry’s public aggregator GET /api/health/scan-api, which checks the configured Scan API base (CMP_SCAN_API_BASE) for /health and /health/ready.
  • UAT base: CMP_SCAN_API_BASE=https://cmp-scan-api.uat.digiwedge.com.
  • If not Ready, ensure the Scan API is reachable from the Registry and that its /health/ready endpoint returns ok: true (e.g., Playwright can launch Chromium).
  • The page also shows a permalink button and a “Copy cURL” (includes artifact flags) for reproducible scans via the Registry.

Storage and history (sanitized)

  • After a scan is run, the page posts a sanitized result (no cookie values, no response bodies) to the registry.
  • Public endpoints (CORS enabled):
    • GET /api/v1/scans?url=…&topDomain=…&take=…
    • GET /api/v1/scans/:id
    • POST /api/v1/scans
  • Fields stored: url, finalUrl, gpc, started/finished timestamps, durationMs, status, redirectChain, summary, analysis, diff. No cookies or response bodies are stored.
  • POST /api/v1/scans/run — trigger a scan via the configured Scan API and persist a sanitized result (public; rate‑limited)
  • GET /api/health/scan-api — public health aggregator on the Registry that checks the configured Scan API base (CMP_SCAN_API_BASE)

Security

  • Public storage endpoints are CORS-enabled. Apply rate limits and/or CAPTCHA in production.
  • Sanitization: no cookie values or response bodies are stored. Redirect chains and summary/analysis/diff only.

Troubleshooting

  • If history is empty: ensure DB schema has ScanRun (run Prisma migrate/deploy) and the registry has DB configured.
  • If “Check” fails: verify the Scan API base is reachable, and /health/ready returns ok: true.
  • If screenshot/trace links fail: confirm the Scan API host exposes /artifacts/* and you’re using the same host/port in the Scanner page.