Crawler Identification

AI Khazna Web Security Scan Bot

User-Agent string

AI-Khazna-Security-Bot/1.0 (+https://aikhazna.com/about/security-bot)

What this bot does

Fetches one page chosen by the user, attempts to reach the HTTP version of the same host to detect HTTPS-upgrade behavior, and probes three common sensitive paths to confirm they return a non-200 status. Analyzes 22 security signals across transport, headers, cookies, content, and exposure categories. The exposure probes are intentionally limited to three well-known config paths and never read or store response bodies — only the HTTP status code is recorded.

Paths this bot may request

MethodPathNotes

GET<target URL pasted by the user> (HTTPS)Main page fetch; follows redirects.

GEThttp://<same host + path>Manual-redirect probe (8s timeout) to detect HTTP → HTTPS upgrade behavior. Bot does not follow the redirect; it only inspects the Location header.

GET{origin}/.envExposure probe (6s timeout). A 404 (or any non-200) is the expected, healthy response and earns a Pass. A 200 here indicates a critical credential leak and triggers a Critical finding.

GET{origin}/.git/configExposure probe (6s timeout). A non-200 status earns a Pass. A 200 indicates an exposed Git repository and triggers a Critical finding.

GET{origin}/wp-config.php.bakExposure probe (6s timeout). A non-200 status earns a Pass. A 200 indicates a WordPress backup file leak and triggers a Critical finding.

Operating principles

User-initiated only. This bot never crawls autonomously — it only fetches the URL a user pastes into the tool.
Single request per scan. We do not follow links from the fetched HTML or perform recursive discovery.
No authentication. The tool is anonymous; the bot does not log in, submit forms, or carry cookies between scans.
Originates from Vercel serverless infrastructure (IP ranges vary; no fixed allowlist is provided).
Identifies itself honestly via the User-Agent string above, which links back to this page so server admins can verify it.

How to block this bot

Block the User-Agent above at your web server (Nginx/Apache), CDN (Cloudflare/Vercel), or WAF. Because this bot acts on direct user request, blocking it will prevent your site from being analyzed by users of the AI Khazna tools — a fair choice, but worth knowing.

Contact

Questions, false-positive reports, or removal requests: office@aikhazna.com

Try the Web Security Scan Back to AI Khazna