Skip to content

CyberDevAI-X/website-security-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
backend
backend
 
 
frontend
frontend
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Web Security Configuration Auditor

Technical auditing implementation for automated inspection of HTTP response headers, TLS protocol configurations, and cookie policies.

Technical Overview

This application provides a strictly non-intrusive security analysis of public web assets. It focuses on the evaluation of security configuration baselines, compliance with RFCs, and alignment with OWASP standards. No state-changing requests, exploitation attempts, or active payloads are performed.

Analysis Scope

  • HTTP Security Headers: Inspection of HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
  • TLS Configuration: Posture assessment of server-supported protocols and cipher suites.
  • Cookie Security Attributes: Baseline review of Secure, HttpOnly, and SameSite flags.
  • Configuration Artifacts: Detection of metadata exposed in HTTP response parameters.

Technology Stack

  • Frontend: React 18, Vite, Axios
  • Backend: Node.js, Express
  • UI Architecture: Centralized CSS Token System, CSS Grid/Flexbox layout with viewport-aware sticky contextual navigation.

DevSecOps & Threat Mitigation

This application implements defensive programming principles aligned with the OWASP API Security Top 10 (2023):

  • SSRF Prevention (API3:2023): A custom native DNS resolution interceptor drops requests to internal networks (e.g., 169.254.169.254, 10.0.0.0/8, 192.168.0.0/16, 127.0.0.1). The server refuses to act as a proxy for internal network enumeration.
  • Rate Limiting (API4:2023): Implements express-rate-limit to strictly constrain IP-bound execution, mitigating brute-force polling and DoS vectors.
  • Security Header Injection (API7:2023): Utilizes helmet to wrap API responses in XSS, HSTS, and MIME-sniffing mitigations.
  • CORS Hardening: Strict Origin binding limits cross-origin exposure of the API backend.

Execution

Local Setup

  1. Backend Configuration: 
    cd backend
npm install
npm run dev
  2. Frontend Configuration: 
    cd frontend
npm install
npm run dev

After initialization, the frontend is accessible at http://localhost:5174 (or the evaluated Vite port).

Project Scope & Integrity

This project is constrained to passive analysis:

  • No Payload Injection: Observes server responses only.
  • No Active Exploitation: Focuses entirely on configuration state.
  • Factual Reporting: Delivers technical findings based on explicit RFC divergence.

Security Notice

This tool is developed for research and authorized security inspections. It performs passive metadata extraction and does not impact the availability or integrity of target infrastructure.

About

React + Node/Express passive web security auditor for TLS/SSL posture, HTTP security headers, cookie policies, and SSRF-safe target validation.

Topics

react security-audit owasp-top-10 devsecops tls-configuration node-api ssrf-prevention

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages