This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 88%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
Hello,
I work at a company that enables business owners to invoice their customers for products and services and accept payments online. This process involves sharing a link to a payment page for a particular invoice that the customer can use to make a credit card payment.
Recently several customers have reported seeing a red SmartScreen box appear over our credit card payment form, which is being hosted via iframe from a PCI-compliant environment in AWS. This has affected several of our merchants, and we are unable to reproduce the issue as the SmartScreen box seems to be based on factors we can't control for (location, operating system, smartscreen settings, etc.)
Are there any steps we can take to prevent or reduce the occurrence of this false-positive SmartScreen overlay? I'm uncertain if there is an allow-list for SmartScreen that we can get certified to, or if there is a way to identify what behaviour on the page is causing SmartScreen to be shown so that we can take steps to remedy.
Thanks in advance for anyone who is able to help! :)
Dylan Pomeroy
Hi Dylan,
If I am a website owner, what can I do to help minimize the chance of my website being flagged by Microsoft Defender SmartScreen?
There are several things you can do that can help minimize the chance of your site being flagged as suspicious. Think of these as best practices or optimal website design ethics.
If you ask users for personal information, use HTTPS with a valid, unexpired server certificate issued by a trusted certification authority.
Make sure that your webpage doesn't expose any cross-site scripting (XSS) vulnerabilities. Protect your site by using anti-cross-site scripting functions such as those provided by the Microsoft Anti-Cross Site Scripting library.
Use the fully-qualified domain name rather than an IP-literal address. (This means a URL should look like "microsoft.com" and not "207.46.19.30.")
Don't encode or tunnel your URLs unnecessarily. If you don't know what this means, you probably aren't doing it.
If you post external or third-party hosted content, make sure that the content is secure and from a known and trusted source.
Source:
https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx
Besides, Report your company website here
https://feedback.smartscreen.microsoft.com/feedback.aspx?result=block&t=16&URL=jabailey.com
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.