Security

Scoped access and deliberately limited scanning.

ACookies does not distribute a shared scanner password. Managed scanning uses expiring, site-scoped access tokens and job ownership checks.

Scan isolation

Tokens are restricted to one registered public origin. Scan jobs cannot be read through another installation identity.

Network restrictions

The scanner rejects local, private, link-local, metadata, redirect, and private subresource targets.

WordPress controls

Administrative actions require capabilities and nonces. Public output is escaped and stored inputs are sanitized.

Disclosure

Report a suspected vulnerability privately through the contact route at Accomplice. Do not include live credentials in an initial report.