How to fix passive scan only on Squarespace

Steps for Squarespace

1. Squarespace is fully managed SaaS infrastructure; running DAST scans against Squarespace's servers directly is not permitted and not actionable.
2. Focus security efforts on any custom JavaScript injected via Settings → Advanced → Code Injection or via Custom CSS — review this code manually against OWASP guidelines for XSS and data exposure.
3. Audit all third-party integrations and extensions in your Squarespace Extensions panel (Commerce → Extensions) — keep them updated and remove unused ones.
4. If you use Squarespace's API or webhooks to connect external services, deploy a staging version of that external service and run OWASP ZAP against it.
5. Ensure your custom domain has HTTPS enforced (Settings → Domains → SSL) and review cookie settings under Settings → Advanced.
6. For stores requiring deeper security assurance, consider whether a self-hosted platform would give you the control needed to implement and evidence a full DAST programme.

What is passive scan only?

Automated security scanners that check your live store passively — inspecting HTTP headers, TLS certificates, cookies, and DNS records — can only see what is publicly visible without logging in or submitting forms. They cannot detect deeper vulnerabilities like SQL injection, broken authentication, insecure API endpoints, or business-logic flaws. Dynamic Application Security Testing (DAST) tools, such as OWASP ZAP, actively probe a running copy of your application the way a real attacker would — sending crafted requests, testing login flows, and fuzzing inputs — to surface vulnerabilities a passive scan will never find. Running DAST against a staging environment (never your live store) gives you a much more complete security picture before code reaches customers.

Security misconfigurations and undetected vulnerabilities are the #5 risk on the OWASP Top Ten and are a leading cause of data breaches in ecommerce — exposing customer payment data, personal information, and admin credentials. A breach can result in PCI-DSS non-compliance fines, chargebacks, loss of payment-processor accounts, and severe reputational damage that directly destroys revenue. Relying solely on passive header checks leaves entire attack surfaces — checkout flows, account login, coupon logic, admin APIs — completely untested. Adding even a basic DAST scan to your pre-release checklist dramatically reduces the chance of shipping a critical vulnerability to production.

See the complete Passive scan only guide for every platform and the full background.