01 Acceptance of these Terms
These Terms & Conditions ("Terms") are a binding agreement between you ("you") and [Operating Entity], the operator of Test My WAF (the "Service", "we", "us"). By accessing or using the Service — including submitting a domain, verifying ownership, or running a scan — you confirm that you have read, understood, and agree to be bound by these Terms and by our data practices described in Section 8.
If you are using the Service on behalf of an organization, you represent that you are authorized to bind that organization, and "you" refers to that organization.
02 The Service
Test My WAF is a browser-based web-application-firewall (WAF) efficacy tester. It drives a real headless browser at a target you nominate, sends categorized attack-shaped payloads and evasion variants, observes which requests the target blocks, challenges, or allows, and produces an informational report and grade.
The Service is provided for defensive security assessment: to help you understand and improve the protection of systems you are responsible for. It is not a penetration test, a compliance certification, or a guarantee of security.
04 Acceptable use
You agree not to use the Service to:
- test, scan, or send traffic to any system you do not own or are not authorized to test;
- attempt to disrupt, overload, or deny service to any target, or to circumvent the Service's ownership verification, rate limits, or other safeguards;
- use the Service to develop, stage, or launch an actual attack, or to exfiltrate, alter, or destroy data;
- reverse-engineer, resell, or provide the Service to third parties except as expressly permitted; or
- use the Service in violation of any applicable law or regulation.
We may suspend or terminate access, and where appropriate report activity to the relevant parties, if we reasonably believe these Terms have been breached.
05 Nature of test traffic
The Service sends non-weaponized, syntactic representations of attacks. Payloads are designed to be recognized and classified by a WAF; they are not intended to exploit, persist on, or exfiltrate data from a target. Every request is tagged with an X-WAF-Test-ID header so that a target's operator can recognize, log, or exempt the run.
Nonetheless, sending attack-shaped traffic to a live system carries inherent risk — including triggering alerts, rate limits, blocklists, or unintended application behaviour. You accept that risk and are responsible for choosing an appropriate target and timing.
06 Fair use & availability
The Service applies rate limits, per-target concurrency limits, and global capacity controls to protect targets, our infrastructure, and other users. You agree not to circumvent these controls. We may adjust, throttle, or queue scans to maintain service health.
The Service is provided on an "as available" basis. We may modify, suspend, or discontinue any part of it at any time, with or without notice.
07 Reports & intellectual property
The report generated for a scan — including findings, grade, and remediation guidance — is provided to you for your use in securing the tested systems. As between you and us, you may use, store, and share your own reports internally and with parties responsible for the tested systems.
All rights in the Service itself — including its software, payload generation, detection logic, branding, and report templates — remain owned by us and our licensors. Nothing in these Terms transfers ownership of the Service to you.
08 Data & privacy
To operate the Service we process a limited set of data:
- Target & scan data: the domain you submit, the ownership-verification token, scan configuration, and the results and reports produced.
- Contact data: if you request a downloadable report, the name, work email, and company you provide, used to deliver the report and to contact you about the Service.
- Technical data: request metadata such as IP address and timestamps, used for security, abuse prevention, and rate limiting.
We do not sell your personal data. We retain scan artifacts and reports for a limited period and then delete them. Reports are stored privately and served only through short-lived, access-controlled links. For questions about your data or to request deletion, contact us at the address in Section 14.
09 No warranty
The Service and all reports are provided "as is" and "as available", without warranties of any kind, whether express, implied, or statutory, including any implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
A result, grade, or absence of a finding is not a guarantee that a system is secure, nor that any given attack would be blocked in production. WAF behaviour depends on configuration, traffic conditions, and factors outside our control. You are responsible for independently validating and acting on any findings.
10 Limitation of liability
To the maximum extent permitted by law, we will not be liable for any indirect, incidental, special, consequential, or punitive damages, or for any loss of profits, data, goodwill, or business, arising out of or relating to your use of the Service — including any impact of test traffic on a target — even if advised of the possibility of such damages.
To the maximum extent permitted by law, our total aggregate liability arising out of or relating to the Service is limited to the greater of the amount you paid us for the Service in the three months preceding the claim, or USD 100.
11 Indemnification
You agree to indemnify and hold harmless us and our officers, employees, and agents from any claim, demand, loss, or expense (including reasonable legal fees) arising out of your use of the Service, your breach of these Terms, or your testing of any system without proper authorization.
12 Changes to the Service and Terms
We may update these Terms from time to time. When we do, we will revise the "Last updated" date above. Material changes take effect when posted, and your continued use of the Service after changes are posted constitutes acceptance. If you do not agree to a change, stop using the Service.
13 Governing law
These Terms are governed by the laws of [Jurisdiction], without regard to its conflict-of-laws rules, and you submit to the exclusive jurisdiction of the courts located there for any dispute arising out of or relating to the Service. If any provision of these Terms is held unenforceable, the remaining provisions remain in full effect.
14 Contact
Questions about these Terms, authorized use, or your data can be sent to legal@testmywaf.net. To report suspected misuse of the Service, contact abuse@testmywaf.net.