Google Site Verification
Google Site Verification is a security scanner operated by Google. It probes websites for vulnerabilities, exposed credentials, misconfigurations, or compliance issues.
Whether to allow it depends entirely on who is running it. If it is your own pen-test vendor or your bug-bounty researchers, allow it. If it is hostile reconnaissance, block it.
Look at the IP source and the request pattern. Hostile scanners tend to probe known-vulnerable URLs aggressively; legitimate scanners usually identify themselves and crawl gently.
See Google Site Verification on your own site
Match the User-Agent header on incoming requests against the pattern below.
regex
Verify by IP
For higher confidence, also verify the source IP against the operator's published ranges. UA strings can be spoofed; IP ownership is harder to fake.
Renders JavaScript
No
IP verification
Published IP ranges
Crawl frequency
Variable / probing
Honors robots.txt
Yes
Honors Crawl-delay
Varies
Google runs 103 bots in total. Each one is a separate user-agent so you can allow or block them independently.
Link Unfurler
25- Google Feed Fetcher
- Google Image Proxy
- Google Publisher Center
- Google Web Preview
- Google-AdWords-Express
- Google-PageRenderer
- Google-Read-Aloud
- GoogleDocs
- GoogleImageProxy
- GoogleProducer
- Gmail Image Proxy
- Google Calendar Importer
- Google Page Renderer
- Google Web Snippet
- Google API
- Google Cloud Scheduler
- Google-Document-Conversion
- Google Sheets
- Google Slides
- Google Docs
- Google Area 120 Privacy Policy Fetcher
- Chrome Privacy Preserving Prefetch Proxy
- Google Cloud Function
- GoogleApps-DocumentScanner
- GoogleStackdriverMonitoring
Search Engine
14DevOps & Monitoring
13- Chrome-Lighthouse
- Google Inspection Tool
- Google Schema Markup Testing Tool
- Google Trust Services (DCV Check)
- Google-Structured-Data-Testing-Tool
- GoogleAssociationService
- ProjectShield Url Check
- Google Read Aloud
- Google Search Console
- Google Page Speed Insights
- Google Partner Monitoring
- Google Structured Data Testing Tool
- Google Stackdriver Monitoring
Ads Network Bot
11Training Crawler
9Agentic Browser
8Security Scanner
7- Google-Safety
- Google-Trust-Services
- ProjectShield-UrlCheck
- Google-BusinessLinkVerification
- Google Safety
- Google Site VerificationYou are here
- Google Transparency Report
SEO Crawler
4Brand Intelligence
3Shopping Bot
3Live-Fetch AI
2Ad Verification
2AI Coding Tool
1Agentic Commerce
1Should I let Google Site Verification through?
Watch your logs for a week first. Allow your own pen-testers and bug-bounty researchers. Block hostile reconnaissance. Source IP and pattern tell you which is which.
Does blocking Google Site Verification affect my Google rankings?
No. Google Site Verification is not a search-engine crawler. Your ranking on Google or Bing is unaffected by what you do here.
How do I confirm a request is really from Google Site Verification?
Two checks. The User-Agent header should match a known Google Site Verification string, and the request's source IP should fall inside Google's published ranges. The User-Agent alone is trivially spoofable, so the IP check is what gives you confidence. Google publishes the ranges so you can validate at the CDN or edge.
Is Google Site Verification hostile traffic?
Depends entirely on the source. Penetration testers and bug-bounty researchers you've authorised should be allowed. Reconnaissance from random IPs probing for vulnerabilities should be blocked. The User-Agent alone doesn't tell you which is which, the source IP and request pattern do.
How is Google Site Verification different from Google's other bots?
Google splits work across multiple user-agents so site owners can decide on each one independently. Training crawlers, live-fetch agents, search indexers, and agentic browsers each get their own name. Worth scanning the rest of the Google family above to see which ones actually matter for your site.
What's the cleanest way to control Google Site Verification?
Two layers. Robots.txt for the polite crawlers that read it, and rules at your CDN or edge for the ones that don't. Rankly's Agent Experience handles both from a single config, so you can allow, block, rate-limit, or serve a stripped-down version per bot. Agent Analytics handles the observation half so you know which bots are actually worth a rule.
Verify everything above against the operator's own documentation.