DEV Community

Cover image for Introducing SecureCheck: An Open-Source Security Scanner for Web Applications
Ashish Sharda
Ashish Sharda

Posted on

Introducing SecureCheck: An Open-Source Security Scanner for Web Applications

#webdev #security #opensource #node

Introducing SecureCheck v1.0

I'm excited to share SecureCheck, an open-source security testing library I built to help developers identify common web vulnerabilities before they become problems.

The Problem

As developers, we often focus on features and performance, but security can fall through the cracks. Security audits are expensive, and many security tools are either too complex or require significant setup time.

I wanted something simple: a tool that could scan a website in under 2 minutes and tell me exactly what's wrong and how to fix it.

The Solution

SecureCheck is a lightweight Node.js library with zero dependencies that scans websites for:

  • HTTP Security Headers - Missing CSP, HSTS, X-Frame-Options, etc.
  • SSL/TLS Configuration - Certificate expiry, HTTPS enforcement
  • Information Disclosure - Exposed .git, .env, config files
  • Cookie Security - Missing Secure, HttpOnly, SameSite flags
  • XSS Vulnerabilities - Basic detection of potential cross-site scripting

What Makes It Different?

1. Educational, Not Just Diagnostic

Each vulnerability includes:

  • What's wrong
  • Why it matters (real-world impact)
  • How to fix it (specific recommendations)

Example output:

🟠 [HIGH] Missing Content Security Policy
Category: HTTP Headers
Issue: No Content-Security-Policy header found
Impact: Without CSP, your site is more vulnerable to XSS attacks.
Attackers can inject malicious scripts that steal user data,
hijack sessions, or deface your website.
Fix: Implement CSP to prevent XSS attacks.
Start with: Content-Security-Policy: default-src 'self'

2. Zero Dependencies

Built with pure Node.js. No bloated dependency chains or security vulnerabilities from third-party packages.

3. Beautiful Output

Color-coded severity levels make it easy to prioritize fixes at a glance.

4. Fast

Complete scan in under 2 minutes. Perfect for CI/CD pipelines.

Installation 

npm install -g securecheck

**Usage**

# Basic scan
securecheck https://example.com

# Verbose output
securecheck https://example.com --verbose

# JSON output for CI/CD
securecheck https://example.com --json

**Use as a Library**

const SecureCheck = require('securecheck');

(async () => {
  const scanner = new SecureCheck('https://example.com', {
    verbose: true,
    timeout: 10000
  });

  const results = await scanner.scan();
  console.log(results);
})();
Enter fullscreen mode Exit fullscreen mode

Real-World Example
I tested SecureCheck on a popular sports website and found:

  • 23 medium severity issues
  • 1 high severity issue (missing CSP)
  • 2 low severity issues
  • 1 informational finding

All in under 1 second.

What's Next?

Roadmap for v1.1:

  • SQL injection detection
  • CORS misconfiguration checks
  • Subdomain enumeration
  • HTML report generation

Roadmap for v2.0:

  • Authenticated scanning
  • API endpoint testing
  • Web dashboard

Contributing

SecureCheck is open source (MIT license) and I'd love your contributions! Whether it's:

  • Adding new security checks
  • Improving documentation
  • Reporting bugs
  • Suggesting features

Check out the Contributing Guide.

Important Note

SecureCheck is designed for testing YOUR OWN websites or sites where you have explicit permission. Unauthorized security testing may be illegal in your jurisdiction.

Links

GitHub: github
NPM: npm
Issues: GitHub Issues

Conclusion

Security doesn't have to be complicated. With SecureCheck, you can catch common vulnerabilities in your development workflow and learn about security best practices along the way.
Give it a try and let me know what you think! Star the repo if you find it useful.

Top comments (0)