# Did Stripe scan my website for security vulnerabilities?

Stripe regularly scans our users' websites to identify signs of common vulnerabilities. You might have found requests from one of these scans in your server logs. This page explains why these scans happen and how you can opt out.
## Why does Stripe scan websites?
Stripe tries to catch problems before they pose a danger to Stripe users.
For example, if a new Stripe user leaves an administrative control panel on their website unprotected, a bad actor could steal their Stripe API keys or change the website's code. If Stripe notices the problem before a bad actor finds it, the legitimate Stripe user has a chance to fix it without suffering damage to their business.
## What happens if Stripe finds a vulnerability?
Depending on the severity of the vulnerability, Stripe may contact you or, in urgent cases, proactively apply extra security measures within the Stripe platform—such as restricting or rotating compromised API keys—to protect your Stripe account.
## How can I tell whether a scanner is Stripe's?
The user agent string clearly identifies Stripe as the scanner and includes a link to this page.
Stripe's scanners are designed so that they don't overload websites with traffic. They never try to _exploit_ vulnerabilities, and they don't try to guess passwords. Contact Stripe Support if you observe a scanner claiming to be Stripe that exhibits any of those behaviors.
## Can I opt out?
Yes. If you prefer that Stripe doesn't scan your website, opt out by:
* Emailing [mss-optout@stripe.com](mailto:mss-optout@stripe.com) from an address associated with your Stripe account, including your account number (starting with `acct_`).
* Contacting Support through chat.