About / Policy
ShipCheck
What ShipCheck does
ShipCheck runs an external smoke check against a URL you submit: it fetches the landing
page, same-origin script files referenced by static <script src> tags,
a handful of well-known paths (such as /.env, /admin,
/debug), and a few same-origin links. All requests are plain HTTP GET with
the user agent ShipCheck and a contact URL. It never logs in, never submits
forms, never bypasses any access control, and reads only small, capped amounts of data.
Intended use
ShipCheck is meant for checking your own app (or one you have permission to check) before you post it publicly. Do not use it to scan sites you do not control. Per-client and per-target rate limits are enforced.
What the result means
The report lists externally observable facts only. It is not a security assessment and not a guarantee. "Pass" means a specific surface looked fine from outside; "Cannot verify" means exactly that. Secret scanning covers only the landing HTML and same-origin scripts referenced by static tags, up to a size cap — dynamically imported chunks and cross-origin bundles are not scanned.
Data handling
Check results are generated per request and are not stored on the server. There is no database and no scan history. Standard operational access logs (client IP, time, endpoint) may be kept briefly for abuse prevention; checked URLs are not published.
Site owners: opt out
If ShipCheck requests are unwelcome on your site, block the ShipCheck user
agent or contact the operator via runsol.jp and the
hostname will be excluded.