Skip to content

Our scanner’s identity

Both the free scanner and every paid scan visit your site with a real, identifiable browser — never a disguised or spoofed one. If your site’s bot protection (a WAF, Cloudflare, or a similar service) blocked us, this page has what you need to let us through.

How to recognize us

  • User-Agent: WexloScanner/1.0 (+https://wexlo.eu/scanner-info)
  • We run from Fly.io’s Frankfurt (fra) region. Fly.io apps share a regional pool of egress IPs rather than a single fixed address, so we can’t publish one narrow, permanent IP range here — allowlisting by the User-Agent above is the durable option, since it doesn’t change when the underlying IP does.
  • We never send fingerprint-spoofed headers, simulate mouse/scroll behavior, or route through proxies to look like a regular visitor. What you see in your logs is what we are.

How to allowlist us

Most WAFs and bot-protection services (Cloudflare, Akamai, and similar) let you allowlist a specific User-Agent, or an exception rule scoped to it. Add the exact string above to your allowlist or firewall rule exceptions.

What we don't do

We don’t bypass bot protection, solve CAPTCHAs, or use proxies/unblockers on sites we don’t have a reason to believe you own — the free scanner and our outreach scans always degrade honestly and tell you when a site blocked us, instead of trying harder to get past it. If your own, verified domain sits behind protection we can’t get through even after allowlisting, email us at [email protected] — we can look at a paid, request-only unblocking option for that specific case.