scratchpay.com

HTML metadata

Title: Scratchpay: Simple & friendly, payment plans for medical financing
Description: Scratchpay offers 12–24 month plans for amounts between $200–$10,000, with no hidden fees. See your options instantly—without affecting your credit score.
Language: en

Open Graph

url: https://scratchpay.com/
title: Scratchpay | Simple, Friendly Payment Plans for Vet Care
site name: Scratchpay
description: Scratch Pay offers 12–24 month plans for amounts between $200–$10,000, with no hidden fees. See your options instantly—without affecting your credit score.

Technology

CDN: Cloudflare

Analytics

Google Tag Manager

Cookie consent

Osano

Third-party hosts loaded (4)

www.googletagmanager.com×2
browser.sentry-cdn.com×1
cdn.jsdelivr.net×1
cmp.osano.com×1

Social

Registration

Registrar

NameCheap, Inc.

Created

2013-09-29

Expires

2026-09-29 132 days left

Updated

2026-01-01

Name servers

adrian.ns.cloudflare.com
brad.ns.cloudflare.com

DNS records live

NS

adrian.ns.cloudflare.com
brad.ns.cloudflare.com

MX

1 aspmx.l.google.com
10 alt3.aspmx.l.google.com
10 alt4.aspmx.l.google.com
5 alt1.aspmx.l.google.com
5 alt2.aspmx.l.google.com

TXT

Show 18 TXT records

google-site-verification=3GZvO6XAAE4ARvlxhLCCUcDKu-Yl2lhsF_drJpm4kX8
hubspot-developer-verification=YjQ1MmZlNDItMTAyYi00M2I4LWEwZTQtZDBlYzJkMWMzMGU3
google-site-verification=lV20YwQoNVeplGHZBo8qDYPZSU5RwtTJo7dmLPTHhrY
google-site-verification=_cNXH9V2rW-ZGhx-XZdLgKJ5b4f-kScgxcNwIWDS5ek
openai-domain-verification=dv-CDpCBs4T5g2Zw0t68WB2xnMU
anthropic-domain-verification-bt2dce=IBUSU2JhbeDle4ZD9TnvcG2r3
google-site-verification=oqC9fvHMf_z9vSSynWzYF_NFJ-CA_CZQraGfbZiZs8o
stripe-verification=1fbc12201cb329e6a79f39f241309b7c5774044cf2f8c5521ee493320eb10c35
stripe-verification=4bb4ac6eb5f6cb7e15f6dfea06eb97f4c866c3f9edf07c200782cd4e824bdf79
uber-domain-verification=45b3e731-94a4-49fa-8c5f-b4f388a99dc2
cloudflare_dashboard_sso=a6a6aacd2948fd0bc34eb810f248a33c
google-site-verification=1WV-dl-urIMm2QiPCvBvtkqb-LxLcV6krKbEUtn8nQ4
slack-domain-verification=L1UsM0vftwIlId2GBuuoMX7CAa2TSC6uVrRJ5lxH
google-site-verification=mJlydF2WbyZnPVA6GWHVFR3IAoEUp-Ky3ZVZvDnx_Ec
SFMC-zr_BReCGThIGIROVsC1XjCpo49kh_54IaqsWQP2F
42JNBKLJI8SLNGANKTM10299AR
google-site-verification=4WmfN6-ANRqHeuGKxqGmDJaO4ql5yNWkYT8gf2AyaRI
atlassian-domain-verification=rcT0KZ6C4j6WIDgkvggmFHVPD6FauNqmvj4MN3XcbWP8hQpzLhuJ/3QMY3HKZbCy

Email authentication strong

SPF

v=spf1 include:_spf.google.com include:mailgun.org include:customeriomail.com include:6598889.spf05.hubspotemail.net -all

strict (-all)

DMARC

v=DMARC1; p=reject; ruf=mailto:security@scratchpay.com; rf=afrf; fo=1

policy: reject (enforced)

DKIM

Show 5 DKIM selectors

google: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlszYxUcHc0mEag0C3QwgcMFYk/s3Y6B0kcYB/Gmon3b9E8vL7bSy4W0nPFIckhMIiJeuO42CJIbSKv…
k1: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbNrX2cY/GUKIFx2G/1I00ftdAj713WP9AQ1xir85i89sA2guU0ta4UX1Xzm06XIU6iBP41VwmPwBGRNofhBVR+e6WHUo…
s1: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA75roP4YpZNOuRloKkw7GqHagPX64DHAhnjiCGFrf7TSjmNH1G46mfI8eF6sPA8J3KJDYMGT5Myd5k4wf/f…
s2: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpRNSDtSN0/6OI4CA3gEyfSGPZxrR8bu9dUAjO8FrWHWoTZ6Y92ZUNRaQaOAeNOZr3izsTEzPFOHk+IR7+…
smtpapi: k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPtW5iwpXVPiH5FzJ7Nrl8USzuY9zqqzjE0D1r04xDN6qwziDnmgcFNNfMewVKN2D1O+2J9N14hRprzByFwfQW76…

selectors probed

Certificate (current)

E8

from 2026-04-16 to 2026-07-15

Expires in 56 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 55/100 Checked live page: https://scratchpay.com/

present

strict-transport-security
content-security-policy

findings

short HSTS max-age
CSP allows unsafe inline scripts/styles
CSP uses wildcard sources
missing frame protection
missing content type protection
missing Referrer Policy
missing Permissions Policy

Header values

content-security-policy: default-src 'self' 'unsafe-inline' * data: blob:; script-src 'self' 'unsafe-inline' data: blob: https://*.doubleclick.net https://*.iesnare.com https://*.liveperson.net https://*.lpsnmedia.net https://*.paylode.com https://accounts.google.com https://apis.google.com https://bat.bing.com https://browser.sentry-cdn.com https://cdn.heapanalytics.com https://cdn.jsdelivr.net https://cdn.plaid.com https://cdnjs.cloudflare.com https://cmp.osano.com https://connect.facebook.net https://hire.withgoogle.com https://js.hsforms.net https://js.hs-scripts.com https://js-na1.hs-scripts.com https://js.hs-analytics.net https://js.stripe.com https://maps.googleapis.com https://s7.addthis.com https://sdk.us.heap-api.com https://www.google-analytics.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://ws.zoominfo.com; script-src-elem 'self' 'unsafe-inline' data: blob: https://*.doubleclick.net https://*.iesnare.com https://*.livepers
strict-transport-security: max-age=0; includeSubDomains