For IT & Security Teams

Allow Greadme Scans Through Your Firewall — Securely

Greadme is a legitimate SEO and performance audit platform. If your WAF or firewall blocks automated scanners, we offer Organization Auth: a per-organization secret key that your security infrastructure can validate, so only real Greadme requests get through.

Set Up My KeyHow It Works

Why a secret key instead of a user-agent?

User-Agent allowlisting

  • Anyone can set User-Agent: GreadmeBot — it is trivially spoofed
  • Provides no proof that the request actually came from Greadme
  • One allowlist rule lets in anyone who copies the string

Organization Auth (X-Greadme-Key)

  • A cryptographically random key known only to Greadme and your team
  • Cannot be guessed or brute-forced (64 random hex characters)
  • Unique per organization — a key from another company does not work for yours
  • Regenerate at any time if the key is ever compromised

How to set it up

  1. 1
    Sign in to Greadme

    Go to Settings → Integrations and open the Organization Auth section.

  2. 2
    Enter your organization name and generate a key

    Greadme creates a cryptographically random secret key tied to your account.

  3. 3
    Copy the key and configure your WAF

    Create a rule in your firewall: allow any request that includes the header X-Greadme-Key matching your key.

  4. 4
    Run your scan

    Every request Greadme sends will include your key. Your WAF validates it and lets the scan through.

Frequently asked questions

Is Organization Auth required?

No. It is optional. Most users whose sites are publicly accessible do not need it. It is designed for enterprises and organizations that run strict WAF rules that would otherwise block automated scanners.

What happens if I regenerate my key?

The old key is immediately invalidated. Any WAF rule still checking for the old key will start blocking Greadme scans. Update your WAF rule before regenerating if you want uninterrupted scanning.

Can I use both the user-agent and the key together?

Yes. Greadme always sends its GreadmeBot user-agent alongside the key. You can configure your WAF to check either or both — though the key alone is sufficient and more secure.

Does this prove the request came from Greadme's servers?

It proves the request was made by the Greadme account holder who owns that key. Keep the key confidential — treat it like an API key.

Do subdomains need their own key?

Yes. Keys are matched by exact hostname. A key for apple.com will not cover shop.apple.com — Greadme will not inject the header for that subdomain unless you add a separate key for it in Settings → Integrations.

Ready to set up Organization Auth?

Go to your Greadme settings and generate your key in under a minute.

Open Settings → Integrations