Skip to content

3. Add domains for web scanning Growth+

CredWatch's web scanner discovers your public-facing surface and looks for credentials leaked in HTML, response headers, and bundled JavaScript. This is how server-side keys end up in front-end bundles — webpack ships process.env values that were never meant to leave the server.

Add a domain

  1. Go to Domains → Add domain.
  2. Enter your apex domain (example.com), not a URL or subdomain.
  3. Click Add.

Verify ownership

We won't scan a domain you haven't proven you control. Choose whichever verification method is easier for you:

  1. After adding the domain, the portal shows a token: credwatch-verify=abc123…
  2. In your DNS provider, create a TXT record:
    • Host/name: _credwatch-verify
    • Type: TXT
    • Value: the full credwatch-verify=… string (or just the part after = — both formats are accepted)
    • TTL: 300 (or whatever default the provider gives you)
  3. Wait 1–5 minutes for DNS to propagate.
  4. Back in CredWatch, click Verify.

If verification fails, the most common cause is the wrong host name. It must be _credwatch-verify at the apex (not _credwatch-verify.example.com.example.com). Some DNS UIs prepend the apex automatically; others want the full FQDN.

You can leave the TXT record in place permanently, or remove it after verification — CredWatch only checks at verification time.

  1. After adding the domain, the portal shows a token: credwatch-verify=abc123…
  2. Create a file at: 
    https://example.com/.well-known/credwatch-verify
  3. The file must be publicly accessible over HTTPS and its body must contain the token string credwatch-verify=abc123… (the full string as shown, optionally followed by a newline).
  4. Back in CredWatch, click Verify.

This method works well if you can deploy static files to your web root but don't have direct DNS access. The file can be removed after verification.

What gets scanned

For each verified apex, CredWatch:

  1. Enumerates subdomains from certificate transparency logs (crt.sh) and URLScan.
  2. Probes each live host for HTTP responses, HTML, and JS bundle URLs.
  3. Downloads and de-minifies discovered JS bundles.
  4. Runs every active detection pattern against the response bodies + bundles.

Subdomain enumeration finds about 10–200 subdomains per apex for a typical SaaS product. Anything that's been issued a public TLS certificate will show up — including staging and dev environments you may have forgotten about.

Plan limits

Each verified apex counts as one domain against your plan cap:

  • Growth — 200 domains
  • Enterprise — unlimited

Free and Starter plans don't include web scanning. Upgrade from Billing if you'd like to enable it.

Subdomain coverage

We don't ask you to list every subdomain — we discover them. But if you have a private subdomain (no TLS cert, no inbound listing), it won't be discovered. If you specifically need an unlisted subdomain scanned, email [email protected] with the domain and we'll add it to your enumeration manually.

Next: Your first findings →