Help & Docs
Everything you need to know about how government.rest works, what the detections mean, and how to use each tool effectively.
Pages are fetched through a CORS proxy server-side, so the raw HTML comes back to you without your browser ever touching the target directly. This means you can inspect sites that would otherwise block cross-origin requests, without revealing your identity to the target server.
No. The proxy can only fetch what is publicly accessible — the same content you would see visiting the page without an account. Anything behind authentication, paywalls, or bot-detection gates will not be inspectable.
When Crawl Pages is enabled, the inspector automatically discovers and fetches up to 3 additional internal links from the starting URL. You can then navigate between crawled pages using the Back / Next controls and the page path buttons that appear in the results area.
Some sites block proxy requests, return non-HTML content (e.g. redirects, CAPTCHAs), or have very aggressive rate-limiting. The inspector uses two proxy providers with automatic fallback. If both fail, try again in a few seconds or try a different URL.
Yes. In the Source tab you'll find Copy and Download buttons in the toolbar. Copy sends the full raw HTML to your clipboard; Download saves it as an .html file named after the domain.
Some sites quietly embed Discord, Slack, or Teams webhook URLs inside their website code — sometimes in plain text, sometimes encoded in Base64 — to silently send visitor data to an external destination without your knowledge. The inspector scans for these patterns and flags them with the platform name and encoding method.
It means the page decodes a Base64 string and immediately executes or injects it — a strong signal of intentional obfuscation. Legitimate sites almost never need to do this.
A keydown or keyup event listener attached to document or window can capture every keystroke the user makes on that page. This is the mechanism behind keyloggers. While some legitimate use cases exist (keyboard shortcuts), it's worth flagging.
navigator.sendBeacon() is a browser API that silently transmits data to a server even as the page unloads — making it ideal for tracking without being caught by network inspection tools.
Tools like Hotjar, Mouseflow, FullStory, and Smartlook record every mouse movement, click, scroll, and keystroke. The inspector flags their known CDN domains when loaded as external scripts.
They are flagged at severity info (blue) — not as threats, but as disclosures. You should know what tracking is present on a page. Many sites load these legitimately; you can decide what that means for your threat model.
Each platform uses a different approach. Roblox uses the public Roblox API. Discord lookups use the Lanyard public registry (only works for users opted in). Instagram and TikTok attempt to parse their public profile pages through a CORS proxy. Results may be limited if platforms block or change their structures.
It queries ipinfo.io's free public API, which returns geolocation, ASN, organisation name, and timezone data for any IPv4 or IPv6 address.
It fetches the response headers from any URL and surfaces security-relevant headers: Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Server, X-Powered-By, and others. Missing security headers are an important signal for site hardening.
After running a scan, you can export all crawled pages as a single CSV file containing URL, title, script count, suspicious findings, webhook count, and link counts. Useful for archiving or offline analysis.
Yes — the inspector and basic tools are available to all visitors with no account required. Free use operates under shared rate limits and may be throttled during high-traffic periods.
Paid plans (Plus, Premium, Heist) unlock higher request limits, advanced OSINT modules, IntelX integration, API access, dedicated support, and bulk search features. See the pricing section for a full comparison.
Heist is a one-time lifetime purchase that gives you 10,000 requests per 12 hours, API access at 10,000/day, dedicated 1-on-1 support, CSV exports, bulk search, and early access to beta modules — no recurring billing, ever.
No. We do not log, store, or analyse what URLs you inspect. Scans are processed ephemerally and results are returned directly to your browser. See our Privacy Policy for full details.
The CORS proxy server makes the HTTP request, so the target site sees the proxy's IP address, not yours. However, the request itself still registers as a normal page visit in the target's server logs.
government.rest itself does not log your IP for scan queries. The third-party CORS proxy providers have their own privacy policies, which you should review if this is a concern.