Security & compliance deep audit

Security & compliance module

/dashboard/sites/<id>/audit/security runs a four-layer probe surfacing email-auth, transport security, cookie inventory, and privacy-policy completeness.

Email authentication (DNS)

• DMARC — policy enum (reject/quarantine/none/missing)
• SPF — record enum (-all hard-fail, ~all soft-fail, ?all neutral, +all allow-all, missing)
• DKIM — 8 common selectors probed in parallel (default, google, mail, k1, selector1, selector2, etc)

Transport security (headers)

• HSTS with max-age ≥31536000 + includeSubDomains + preload → hstspreload.org eligibility
• CSP parsed + scored against 7 high-impact directives (default-src, script-src, style-src, img-src, connect-src, frame-ancestors, object-src). Wildcards and unsafe-inline/unsafe-eval lose points.
• HTTP/3 detected via alt-svc: h3 header
• SRI coverage on external script + stylesheet links

Cookie inventory

Parses Set-Cookie response headers into {name, classification, lifetime, secure} rows. 12-pattern classifier maps cookie names → analytics / advertising / essential / preference.

Privacy + compliance

• Privacy-policy discovery (6 candidate paths: /privacy, /privacy-policy, /policy/privacy, /legal/privacy, etc)
• Policy completeness scored against 12 GDPR Article 13 disclosure points (controller, purposes, legal basis, retention, third parties, transfers, user rights, cookies, DPO, security, children, updates)
• GDPR signals (EU) — 7 binary flags
• CCPA signals (California) — 4 binary flags, "Do Not Sell" link presence
• DPDP-India signals — 3 binary flags (Digital Personal Data Protection Act, grievance officer, India-residency disclosure)

Composite score

Weighted: 25% email-auth · 25% CSP · 15% HSTS+preload · 10% SRI · 15% policy completeness · 10% cookie compliance.