What do to if your website was marked as malicious by an antivirus or security vendor?

Aside from the obvious JavaScript injections and framework exploits, check for

  • multiple redirects
  • \u-encoded JavaScript code
  • broken or too permissive CORS along with suspicious backend name

Then, check different website URLs on Virustotal URL checker and use yaronelh/False-Positive-Center to report false positives.