Stop pseolint from auditing your site

pseolint lets anyone audit any public URL. That's the OSS-first product. If your site is being audited and you want it to stop, you have two paths — one you control directly, one we control on request.

Self-serve: robots.txt opt-out

Our crawler honours robots.txt (Disallow paths AND Crawl-delay) and identifies itself with the user-agent token pseolint. Add these two lines to https://yourdomain.example/robots.txt and the next audit attempt will fetch zero pages from your site:

User-agent: pseolint
Disallow: /

The full UA string we send is Mozilla/5.0 (compatible; pseolint/0.7.4; +https://pseolint.dev/bot). You can also block at your CDN/WAF by matching that token.

Server-side: blocklist by request

If you can't edit robots.txt (third-party host, no access, etc.) or you want a hard block at our edge, email abuse@pseolint.dev and we'll add the domain to our host blocklist. After that, any audit request for your domain returns a 403 before we touch the network.

We need to verify ownership before adding the block (otherwise this becomes its own harassment vector). One of:

  • DNS TXT record we'll give you in the reply (e.g. pseolint-abuse=<token>)
  • An email reply from an address on the affected domain
  • Public WHOIS contact match

What we already do to limit damage

  • Per-host hourly cap of 30 fresh audits (across all users)
  • Per-user daily cap of 15 audits against any single host (Pro) / 3 (free) / 1 (anon)
  • Per-anon-IP daily cap of 1 audit against any single host
  • 1-hour URL-level dedup — repeat audits return cached results, no re-crawl
  • Honour robots.txt, Crawl-delay, and Retry-After
  • Max 5 parallel fetches per audit, 50 MB per audit, 200 pages per audit
  • SSRF guard rejects private/internal addresses

Full operational details at /limits.

What abuse reports cover

Abuse reports via this page cover one scenario: a domain owner who does not want pseolint crawling their site. Reports are not a channel for contesting audit findings, requesting score adjustments, or flagging competitor misuse. Once a domain is blocklisted, all future audit requests for that domain return a 403 before pseolint touches the network — the block applies to every user and every plan, including Pro. Blocklist additions are permanent unless the domain owner requests removal. Ownership verification is required in both directions (add and remove) to prevent the blocklist from becoming a suppression or harassment vector itself. Typical turnaround after a verified email is one business day.

Other concerns

Bug reports, security issues, or anything that doesn't fit above: hello@pseolint.dev. For security issues affecting users of the hosted product, please use a subject line starting with [security] so we can triage faster.

A concrete case

The owner of Caldecott Stoneworks emailed from the domain's verified DNS contact asking that pseolint stop crawling caldecott-stoneworks.example after a staging migration left half the catalog returning placeholder pages. The blocklist entry was added within one business day; every subsequent audit of that host returned a 403 before any fetch, for every plan including Pro. A follow-up request seven weeks later, re-verified from the same TXT record, lifted the block cleanly. No audit bodies, thumbnails, or derived scores were retained for the domain while it was blocked.

Sources