Uslovi koriscenja

Verzija 2026-04-10-v2 · Poslednje azuriranje: 10. april 2026. · v2: dodate sekcije 11-14 o placenim planovima (Pro pretplata, automatsko obnavljanje, refundacije, fair use).

1. Prihvatanje uslova

Koriscenjem Web Security Scanner-a (dalje u tekstu "Servis") prihvatate ove uslove u celosti. Ako se ne slazete, molim vas da ne koristite Servis. Svaka scan operacija zahteva eksplicitno potvrdjivanje pristanka pre nego sto se pokrene, a verzija uslova u trenutku pristanka se zapisuje u nas audit log kao pravni dokaz saglasnosti.

2. Sta Servis radi

Servis izvrsava pasivne bezbednosne provere javno dostupnih veb sajtova. To znaci:

  • Citamo samo informacije koje su javno dostupne kroz HTTP/HTTPS zahteve (headere, HTML, DNS zapise, SSL certifikate)
  • Ne pokusavamo eksploatisanje ranjivosti, ne saljemo payload-e, ne trazimo zaobilazenje autentikacije
  • Svaki scan ima maksimalnu duzinu od 180 sekundi i rate limit od 5 skeniranja po 30 minuta po IP adresi
  • SSRF zastita sprecava da Servis bude zloupotrebljen za skeniranje internih mreza ili cloud metadata endpoint-a

3. Vasa odgovornost kao korisnika

Vi ste odgovorni da imate pravnu dozvolu da skenirate bilo koji domen koji unosite u Servis. Prihvatljivi slucajevi koriscenja:

  • Vas sopstveni sajt — ako ste vlasnik domena ili imate administrativni pristup
  • Klijentov sajt — uz pismenu dozvolu vlasnika sajta (npr. kao deo ugovora o bezbednosnoj reviziji)
  • Javno dostupan sajt u svrhu edukacije — pod uslovom da koristite rezultate samo za licno ucenje i da ne ugrozavate sajt kroz previse cestih zahteva
  • CTF i bug bounty programi — kada pravila programa eksplicitno dozvoljavaju automatske skenere

Zabranjena je upotreba Servisa za:

  • Neovlasceno skeniranje tudjih sajtova u pripremi za napad
  • Mass-scanning kao deo rekognasce kampanje protiv veceg broja meta
  • Pokusaj skeniranja internih, privatnih, ili loopback adresa (SSRF zastita ce ionako blokirati, ali pokusaj je sam po sebi krsenje uslova)
  • Skeniranje sajtova cije ste vlasnika vec obavestili da ne zele da budu skenirani preko nase abuse-report procedure

4. Pristanak na svaki scan

Pre pokretanja svakog skeniranja, morate eksplicitno oznaciti checkbox kojim potvrdjujete da imate dozvolu za taj konkretni domen. Ovaj checkbox je pravni dokumentovani pristanak, ne samo UI ukrasni element. Potvrdom se u nas audit log zapisuju:

  • Da ste potvrdili pristanak (consent_accepted: true)
  • Verzija ovih uslova koja je bila na snazi (consent_version)
  • Vremenski pecat, URL koji ste zadali, i pseudonimizovana IP adresa i User-Agent

Ako u buducnosti dodje do pravnog spora oko toga da li ste imali dozvolu, mi cemo koristiti ove zapise kao dokaz da ste izjavili da imate pravo da skenirate.

5. Sta se cuva u nasoj bazi

Detalji o tome sta konkretno cuvamo, koliko dugo, i kako se podaci stite, opisani su u Politici privatnosti. Ukratko:

  • URL, domen, i rezultat scan-a se cuvaju u nasoj bazi radi audit traga i kasnijeg pregleda od strane korisnika
  • IP adresa i User-Agent se cuvaju kao SHA-256 hash sa server-side salt-om (pseudonimizacija u smislu GDPR Art. 4(5))
  • Audit log je append-only i cuva se do 90 dana, osim redova koji su flagovani kao pravna evidencija
  • Dnevni enkriptovani backup se sprema na Cloudflare R2 offsite storage

6. Prava vlasnika skeniranog sajta (abuse report)

Ako ste vlasnik domena koji je skeniran bez vase dozvole, mozete poslati prijavu zloupotrebe preko link-a "Prijavi zloupotrebu" u footer-u sajta ili direktno na ./index.html#abuse. Za svaku prijavu:

  • Pregledamo u roku od 72 sata
  • Ako je prijava legitimna, dodajemo vas domen na listu blokade — svi buduci scan-ovi tog domena ce biti odbijeni sa HTTP 403
  • Povezani audit_log zapisi se flaguju kao pravna evidencija i zadrzavaju zauvek (osim ako nalozi za brisanje ne nalazu drugacije)
  • Ako ostavite kontakt email, obavestavamo vas o ishodu

7. Dva moda skeniranja — gate-before-scan model

Servis nudi dva moda skeniranja, odvojena strogim gate-om na backend-u:

7.1. Brzi javni sken (default, bez verifikacije)

Pokrece se klikom na dugme Brzi javni sken. Pokrece 20 pasivnih provera koje koriste samo informacije koje je vec poznat svaki javni posetilac sajta: SSL/TLS sertifikat, HTTP header-i, javni DNS zapisi (SPF, DMARC, DNSSEC), homepage HTML, robots.txt, security.txt, well-known endpoint-i, performanse, accessibility, GDPR detekcija, WHOIS, CT logovi, Mozilla Observatory. Tri SAFE+REDACTED check-a (Information Disclosure, JavaScript Security, JWT Security) takodje rade ali zamenjuju tacne vrednosti placeholder-om "verifikujte vlasnistvo da vidite tacne podatke".

U ovom modu skener NE SALJE NIJEDAN PROBE ka privatnoj infrastrukturi sajta. Target server nece naci nijedan GET zahtev za /.env, /.git/config, /wp-admin/, /phpmyadmin/, port scan, ili bilo sta sto bi legitiman vlasnik tretirao kao recon. Cilj je: brza, stateless, ne-kompromitujuca provera koju moze da pokrene bilo ko bez pravnog rizika.

7.2. Puni sken (samo za vlasnike, kroz wizard)

Pokrece se klikom na dugme 🔓 Puni sken (vlasnici sajta). Otvara se wizard koji vodi kroz 3 koraka:

  1. Tri eksplicitne saglasnosti — svaki klik se zapisuje u nas audit log uz pseudonimizovani IP hash:
    • Vlasnistvo / pisano ovlascenje od vlasnika
    • Razumevanje da scanner pokrece aktivne probe ka osetljivim fajlovima, admin panelima, portovima baze podataka i ranjivostima — sa punom pravnom odgovornoscu
    • Saglasnost sa 30-dnevnim cuvanjem nalaza vezanim za vas IP hash
  2. Verifikacija vlasnistva — dokazite da kontrolisete domen kroz jednu od tri metode:
    • Meta tag u <head> pocetne stranice
    • Fajl u /.well-known/scanner-verify.txt
    • DNS TXT zapis na _scanner-verify.vasdomen.com
  3. Recap i finalna potvrda — wizard prikazuje sumarno sve sto ste odobrili. Dugme za pokretanje punog skena ima 3-sekundni delay (anti-reflex mera) tako da recap stvarno bude procitan pre klika.

Tek nakon sto sve 3 saglasnosti prodju, vlasnistvo bude verifikovano, i finalna potvrda bude data, scanner pokrece dodatnih 10 aktivnih check-ova: scan osetljivih fajlova, admin panel detekciju, vulnerability scan, port scan, API security (GraphQL introspection, swagger), CORS analizu, dependency CVE check, subdomain enumeration, takeover detekciju, WordPress deep-pass.

Uspesna verifikacija vazi 30 dana po kombinaciji (domen, IP hash). Posle isteka, ponovo prolazite kroz wizard. Ova politika postoji da bi se sprecilo zlonamerno koriscenje Servisa kao exploit cheat-sheet-a za tudje sajtove.

Privacy-by-design: wizard tabela scan_requests cuva samo datum kreiranja (DATE), bez timestamp-a, tako da cak ni potpuni leak baze ne moze da otkrije tacno vreme kad ste klikali consent checkbox-e.

8. Ogranicenja odgovornosti

Servis se pruza "kako jeste", bez ikakvih garancija, izriciitih ili implicitnih. Konkretno:

  • Ne garantujemo da ce svi mogucu ranjivosti biti otkrivene — scanner je pasivan i ne moze videti ono sto zahteva autentikaciju ili interaktivni probe
  • Ne garantujemo tacnost rezultata za sajtove iza bot-protection challenge stranica (Cloudflare, DataDome, itd.)
  • Nismo odgovorni za bilo kakvu stetu koja proizadje iz vaseg koriscenja ili nemogucnosti koriscenja Servisa
  • Nismo odgovorni ako vas sajt usporava ili padne tokom scan-a (ne bi trebalo da se desi — koristimo razumne timeout-e i rate limit-ove, ali theoretically moguce)

9. Izmene uslova

Zadrzavamo pravo da azuriramo ove uslove. Kad menjamo, bump-ujemo verziju (consent_version) i svaki novi scan ce morati da potvrdi novu verziju. Vase prethodne saglasnosti ostaju vazece u audit log-u ali se ne retroaktivno primenjuju na nove pravne odredbe.

10. Kontakt i sporovi

Za sva pitanja u vezi sa ovim uslovima, kontaktirajte nas na kontakt@gradovi.rs. Za sigurnosne propuste: security@gradovi.rs. Za abuse prijave: abuse@gradovi.rs. Za Pro plan: pro@gradovi.rs. Eventualni sporovi se resavaju prema pravu Republike Srbije i ZZPL-u, osim u meri u kojoj lokalni propisi daju korisniku jace pravo.

11. Placeni planovi (Pro pretplata)

Pored besplatnog tier-a koji je detaljno opisan iznad, nudimo i Web Security Scanner Pro pretplatu koja otkljucava dodatne funkcije:

  • Neograniceni skenovi — nema rate limit-a od 5 skenova po 30 minuta
  • Multi-page skeniranje — do 10 stranica po scan-u (crawler obilazi vas sajt, ne samo homepage)
  • PDF izvestaji — profesionalni branded izvestaj koji mozete proslediti klijentu
  • Istorija skeniranja — pregled i preuzimanje rezultata u zadnjih 30 dana

Cene (u USD, naplata po Lemon Squeezy kursu za vasu zemlju):

  • Pro Monthly — $9 USD mesecno, naplata svakog 30. dana
  • Pro Yearly — $79 USD godisnje (~27% popust u odnosu na mesecni plan), naplata jednom godisnje

Besplatni trial: Svaka nova Pro pretplata pocinje sa 7-dnevnim besplatnim trial periodom. Morate uneti karticu pri registraciji (tako sprecavamo zloupotrebu trial-a), ali niste naplaćeni dok trial ne istekne. Mozete otkazati bilo kada u toku trial-a i nece biti naplaćeno.

Merchant of Record: Placanja obradjuje Lemon Squeezy Inc. kao formalni prodavac. To znaci:

  • Transakcija je izmedju vas i Lemon Squeezy-ja, ne direktno izmedju vas i operatora Servisa
  • Lemon Squeezy izdaje racune koji su EU VAT compliant, automatski hendluje porez u 100+ zemalja
  • Vasu karticu i licne podatke za placanje vidi samo Lemon Squeezy (nikad nas)
  • Pristup customer portal-u za upravljanje pretplatom (otkazivanje, menjanje plana, pregled racuna) ide kroz Lemon Squeezy portal — link dobijate u svakom email-u sa potvrdom

12. Automatsko obnavljanje i otkazivanje

Automatsko obnavljanje: Pro pretplate se automatski obnavljaju na kraju svakog billing ciklusa. Mesecni plan se obnavlja svakih 30 dana, godisnji svakih 365. Ovo je standardno ponasanje za SaaS pretplate i u skladu je sa EU Consumer Rights Directive-om — vi ste svesno odabrali recurring plan pri kupovini.

Email podsetnici: Pre svakog obnavljanja, Lemon Squeezy salje email obavestenje nekoliko dana unapred. Ako ne zelite dalje obnavljanje, imate dovoljno vremena da otkazete.

Kako otkazati:

  1. Otvorite bilo koji email sa potvrdom koji ste dobili od Lemon Squeezy-ja
  2. Kliknite na link "Manage subscription" ili "Customer portal"
  3. Logujte se email adresom koju ste koristili za kupovinu
  4. Kliknite "Cancel subscription"

Nakon otkazivanja, pristup Pro funkcijama ostaje aktivan do kraja trenutnog placenog perioda. To znaci: ako ste platili mesecni plan 1. aprila i otkazete 15. aprila, Pro funkcije rade do 30. aprila, a 1. maja se automatski prebacujete na free tier. Nema dodatnih naplata nakon otkazivanja.

13. Refundacije

Imamo zasebnu, detaljniju Politiku refundacije koju treba da procitate ako razmisljate o povraćaju novca. Ukratko:

  • 14 dana pun refund za mesecni plan od datuma prve naplate (bez pitanja)
  • 30 dana pun refund za godisnji plan (bez pitanja)
  • 7-dnevni trial — ako otkazete tokom trial-a, nista nije naplaćeno (nema potrebe za refund zahtev)
  • Posle navedenih rokova — zahtev se razmatra od slucaja do slucaja; fer pristup

14. Fair use za Pro funkcije

Pro plan otkljucava "neogranicene skenove", ali to je ograniceno na razuman obim za jednog korisnika. Primeri zloupotrebe koji krse fair use:

  • Koriscenje jedne Pro pretplate kao shared servis za neograniceno korisnika (npr. embed-ovanje u drugi javno dostupan alat)
  • Skeniranje istog domena stotine puta u kratkom vremenu radi DoS-ovanja meti (SSRF zastita i rate limit ka cilju ionako hvataju ovo, ali povreda fair use je dodatni osnov za suspenziju)
  • Mass-scanning kao deo offensive security operacije bez dozvola za svaki meta
  • Koriscenje API-ja (kad bude dostupan) za scrape-ovanje treceg alata koji sam po sebi krsi neciji ToS

U slucaju zloupotrebe, zadrzavamo pravo da suspendovanjem license_key-a prekinemo pristup bez refund-a. Za standardnu upotrebu (stotine skenova mesecno za jednog korisnika ili njegove klijente), nema ogranicenja.

15. Kolacici i saglasnost

Sajt koristi granularni cookie consent sa tri kategorije: neophodni (uvek aktivni), analiticki (opcioni), i reklamni (opcioni). Google AdSense skripte se ne ucitavaju dok eksplicitno ne odobrite reklamne kolacice. Mozete promeniti odluku u svakom trenutku klikom na "Podesavanja kolacica" u footer-u. Detaljniji opis kolacica po kategorijama nalazi se u Politici privatnosti, sekcija 7.

Terms of Service

Version 2026-04-12-v3 · Last updated: April 12, 2026 · v3: added section 15 (cookies and consent), updated for gate-before-scan model.

1. Acceptance of terms

By using Web Security Scanner (the "Service"), you accept these terms in full. If you don't agree, please don't use the Service. Every scan requires you to explicitly confirm consent before it starts, and the version of these terms in effect at that moment is recorded in our audit log as legal proof of your agreement.

2. What the Service does

The Service performs passive security checks on publicly-accessible websites. That means:

  • We only read information publicly available through HTTP/HTTPS requests (headers, HTML, DNS records, SSL certificates)
  • We do not attempt to exploit vulnerabilities, send attack payloads, or bypass authentication
  • Every scan has a hard 180-second deadline and a rate limit of 5 scans per 30 minutes per IP address
  • SSRF protection prevents the Service from being abused to scan internal networks or cloud metadata endpoints

3. Your responsibility as a user

You are responsible for having legal permission to scan any domain you enter into the Service. Acceptable use cases:

  • Your own site — if you own the domain or have administrative access
  • A client's site — with written permission from the site owner (e.g., as part of a security audit engagement)
  • A publicly accessible site for educational purposes — provided you use the results only for personal learning and do not overload the target with excessive scans
  • CTF and bug bounty programs — where the program rules explicitly allow automated scanners

Prohibited uses of the Service:

  • Unauthorized scanning of third-party sites in preparation for an attack
  • Mass scanning as part of a reconnaissance campaign against multiple targets
  • Attempting to scan internal, private, or loopback addresses (SSRF protection will block it, but the attempt itself violates these terms)
  • Scanning sites whose owners have already notified us through our abuse-report procedure that they do not want to be scanned

4. Consent on every scan

Before starting each scan, you must explicitly check a checkbox confirming you have permission for that specific domain. This checkbox is documented legal consent, not just a UI decoration. When you confirm, the following gets recorded in our audit log:

  • That you confirmed consent (consent_accepted: true)
  • The version of these terms in effect (consent_version)
  • Timestamp, the URL you submitted, and your pseudonymized IP address and User-Agent

If a legal dispute ever arises over whether you had permission, we will use these records as evidence that you declared you had the right to scan.

5. What we store in our database

Detailed information about what we store, for how long, and how we protect it is described in our Privacy Policy. In summary:

  • URL, domain, and scan result are stored in our database for audit trail and later review by users
  • IP address and User-Agent are stored as SHA-256 hashes with a server-side salt (pseudonymization in the sense of GDPR Art. 4(5))
  • Audit log is append-only and retained for up to 90 days, except for rows flagged as legal evidence
  • A daily encrypted backup is stored on Cloudflare R2 offsite storage

6. Rights of scanned site owners (abuse report)

If you are the owner of a domain that was scanned without your permission, you can submit an abuse report through the "Report abuse" link in the footer or directly at ./index.html#abuse. For every report:

  • We review within 72 hours
  • If the report is legitimate, we add your domain to the block list — all future scans of that domain will be refused with HTTP 403
  • Related audit_log entries are flagged as legal evidence and retained indefinitely (unless takedown orders require otherwise)
  • If you leave contact email, we will notify you of the outcome

7. Two scan modes — gate-before-scan model

The Service offers two scan modes, separated by a strict server-side gate:

7.1. Quick public scan (default, no verification)

Triggered by clicking Quick public scan. Runs 20 passive checks using only information any public visitor of the site already knows: SSL/TLS certificate, HTTP headers, public DNS records (SPF, DMARC, DNSSEC), homepage HTML, robots.txt, security.txt, well-known endpoints, performance, accessibility, GDPR detection, WHOIS, CT logs, Mozilla Observatory. Three SAFE+REDACTED checks (Information Disclosure, JavaScript Security, JWT Security) also run but replace exact values with the placeholder "verify ownership to see exact data".

In this mode the scanner SENDS NO PROBES against private infrastructure. The target server will not see a single GET request for /.env, /.git/config, /wp-admin/, /phpmyadmin/, port scans, or anything a legitimate owner would treat as recon. Goal: a fast, stateless, non-compromising check that anyone can run without legal risk.

7.2. Full scan (owners only, via wizard)

Triggered by the 🔓 Full scan (site owners) button. Opens a wizard with 3 steps:

  1. Three explicit consents — every click is recorded in our audit log together with a pseudonymized IP hash:
    • Ownership / written authorization from the owner
    • Understanding that the scanner will send active probes against sensitive files, admin panels, database ports, and vulnerabilities — with full legal responsibility
    • Consent to 30-day storage of findings tied to your IP hash
  2. Ownership verification — prove you control the domain through one of three methods:
    • Meta tag in the <head> of the homepage
    • File at /.well-known/scanner-verify.txt
    • DNS TXT record at _scanner-verify.yourdomain.com
  3. Recap and final confirmation — the wizard shows a summary of everything you approved. The button to start the full scan has a 3-second delay (anti-reflex measure) so the recap is actually read before clicking.

Only after all 3 consents pass, ownership is verified, and the final confirmation is given does the scanner run 10 additional active checks: sensitive files scan, admin panel detection, vulnerability scan, port scan, API security (GraphQL introspection, swagger), CORS analysis, dependency CVE check, subdomain enumeration, takeover detection, WordPress deep-pass.

Successful verification is valid for 30 days per (domain, IP hash) combination. After expiry, you go through the wizard again. This policy exists to prevent the Service from being used as an exploit cheat sheet against sites owned by someone else.

Privacy-by-design: the wizard table scan_requests only stores the creation date (DATE), with no timestamp, so even a complete database leak cannot reveal the exact time you clicked the consent checkboxes.

8. Limitation of liability

The Service is provided "as is", without warranties of any kind, express or implied. Specifically:

  • We do not guarantee that all vulnerabilities will be discovered — the scanner is passive and cannot see what requires authentication or interactive probing
  • We do not guarantee accuracy of results for sites behind bot-protection challenge pages (Cloudflare, DataDome, etc.)
  • We are not liable for any damage arising from your use or inability to use the Service
  • We are not liable if your site slows down or crashes during a scan (it shouldn't — we use reasonable timeouts and rate limits, but theoretically possible)

9. Changes to these terms

We reserve the right to update these terms. When we do, we bump the version (consent_version) and every new scan will have to confirm the new version. Your prior consents remain valid in the audit log but do not retroactively apply to new legal terms.

10. Contact and disputes

For any questions about these terms, contact us at kontakt@gradovi.rs. Security vulnerabilities: security@gradovi.rs. Abuse reports: abuse@gradovi.rs. Pro plan: pro@gradovi.rs. Any disputes are resolved under the law of the Republic of Serbia and ZZPL, except to the extent local regulations grant the user stronger rights.

11. Paid plans (Pro subscription)

Alongside the free tier described above, we also offer Web Security Scanner Pro, a paid subscription that unlocks additional features:

  • Unlimited scans — no more 5 scans per 30 minutes rate limit
  • Multi-page scanning — up to 10 pages per scan (crawler walks your site, not just the homepage)
  • PDF reports — professional branded reports you can send to clients
  • Scan history — review and re-download results from the last 30 days

Pricing (in USD, converted at Lemon Squeezy's rate for your country):

  • Pro Monthly — $9 USD per month, billed every 30 days
  • Pro Yearly — $79 USD per year (~27% discount vs monthly), billed once a year

Free trial: Every new Pro subscription starts with a 7-day free trial. You must enter a card at signup (that's how we prevent trial abuse), but you are not charged until the trial ends. You can cancel anytime during the trial and will not be charged.

Merchant of Record: Payments are processed by Lemon Squeezy Inc. as the legal seller. That means:

  • The transaction is between you and Lemon Squeezy, not directly between you and the operator of the Service
  • Lemon Squeezy issues EU VAT compliant invoices and automatically handles tax in 100+ countries
  • Your card and personal payment information is only seen by Lemon Squeezy (never by us)
  • Access to the customer portal for managing your subscription (cancellation, plan changes, invoice history) is through the Lemon Squeezy portal — the link is in every confirmation email

12. Automatic renewal and cancellation

Automatic renewal: Pro subscriptions auto-renew at the end of each billing cycle. Monthly plans renew every 30 days, yearly every 365. This is standard behavior for SaaS subscriptions and complies with the EU Consumer Rights Directive — you consciously chose a recurring plan at checkout.

Email reminders: Before each renewal, Lemon Squeezy sends an email notification a few days in advance. If you don't want to renew, you have enough time to cancel.

How to cancel:

  1. Open any confirmation email you received from Lemon Squeezy
  2. Click the "Manage subscription" or "Customer portal" link
  3. Log in with the email address you used for the purchase
  4. Click "Cancel subscription"

After cancellation, access to Pro features remains active until the end of the current paid period. That means: if you paid for a monthly plan on April 1 and cancel on April 15, Pro features work until April 30, and on May 1 you automatically fall back to the free tier. There are no additional charges after cancellation.

13. Refunds

We have a separate, more detailed Refund Policy that you should read if you're considering a refund. In short:

  • 14 days full refund for monthly plans from the date of first charge (no questions asked)
  • 30 days full refund for yearly plans (no questions asked)
  • 7-day trial — if you cancel during the trial, nothing is charged (no refund request needed)
  • After those windows — requests are considered case by case; fair approach

14. Fair use for Pro features

The Pro plan unlocks "unlimited scans", but that is limited to a reasonable volume for a single user. Examples of abuse that violate fair use:

  • Using one Pro subscription as a shared service for unlimited users (e.g., embedding it in another publicly-accessible tool)
  • Scanning the same domain hundreds of times in a short window in order to DoS the target (SSRF protection and target-side rate limits will catch this anyway, but fair-use violation is an additional basis for suspension)
  • Mass-scanning as part of offensive security operations without permission for each target
  • Using the API (when it becomes available) to scrape a third-party tool that itself violates someone's ToS

In cases of abuse, we reserve the right to suspend access by revoking the license_key without a refund. For standard usage (hundreds of scans per month for a single user or their clients), there are no limits.

15. Cookies and consent

The site uses a granular cookie consent system with three categories: essential (always active), analytics (optional), and advertising (optional). Google AdSense scripts do not load until you explicitly approve advertising cookies. You can change your decision at any time by clicking "Cookie Settings" in the footer. A detailed description of cookies by category is available in the Privacy Policy, section 7.