Is shop.app safe?

shop.app uses a valid TLSv1.3 certificate issued by WE1 (Google Trust Services), and the certificate expires in 79 days. HSTS is enabled, which forces secure connections and reduces the risk of downgrade attacks.

That said, HTTPS alone does not make a site trustworthy. The scan also found missing security headers including X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP, and X-XSS-Protection. Those gaps do not prove malicious behavior, but they do reduce the site�s defensive posture.

The threat checks are clean: Google Safe Browsing is clean, URLhaus is clean, and DNS blocklists from Spamhaus/SURBL are clean. There are no current blocklist hits tying shop.app to known malware, phishing, or spam infrastructure.

That clean result matters, but it is only one part of the picture. The scanner still rates the domain suspicious at 69/100 because reputation is unknown and the domain is not established in the scan data. A clean threat feed does not equal a verified-safe site.

The domain is marked as not known, with unknown domain reputation. Domain creation is unknown and the registrar is listed as none, so there is no usable registration history in the scan data to confirm age or ownership stability.

That lack of history is a real trust gap. Legitimate services can still have limited public records, but when a domain has unknown reputation and no clear WHOIS detail in the scan, you should not treat it as automatically safe.

The scan data supports legitimate commercial intent: the domain category is e-commerce platform, the final URL resolves directly to https://shop.app/, and Cloudflare is in use. The scanner AI summary also found no known association with malicious activity or threat infrastructure.

Even so, the overall verdict remains suspicious because the domain is unfamiliar, reputation is unknown, and several security headers are missing. Use it cautiously and verify you are on the official service before entering personal or payment information.