DEV Community: Steven Kop The latest articles on DEV Community by Steven Kop (@steven_kop). https://dev.to/steven_kop https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3868459%2Fb5a99439-7519-4c80-9837-f57d3a30a4fa.png DEV Community: Steven Kop https://dev.to/steven_kop en We're open-sourcing 3 CLI tools for website compliance testing Steven Kop Wed, 08 Apr 2026 19:33:44 +0000 https://dev.to/steven_kop/were-open-sourcing-3-cli-tools-for-website-compliance-testing-1n61 https://dev.to/steven_kop/were-open-sourcing-3-cli-tools-for-website-compliance-testing-1n61 <p>We built a scanner for European websites. Along the way we extracted three internal tools that work great standalone. All MIT licensed, all CI-friendly.</p> <h2> 1. Cookie Consent Validator </h2> <p>Clicks "Reject All" on your cookie banner and checks if tracking actually stops.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx @trustyourwebsite/cookie-consent-validator https://your-site.com </code></pre> </div> <p>Detects the CMP (Cookiebot, OneTrust, Complianz, CookieYes, Iubenda, generic), records cookies and network requests before and after rejection, flags violations.</p> <p>Most cookie banners are decorative. The Dutch DPA fined Kruidvat (€600K) and Coolblue (€40K) for banners that didn't actually work. This tool catches that.</p> <p><strong>GitHub:</strong> <a href="https://github.com/trustyourwebsite/cookie-consent-validator" rel="noopener noreferrer">trustyourwebsite/cookie-consent-validator</a></p> <h2> 2. Security Headers Checker </h2> <p>Grades your security headers A+ to F with specific remediation advice.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx @trustyourwebsite/security-headers https://your-site.com </code></pre> </div> <p>Checks HSTS, CSP (full directive parsing, flags <code>unsafe-inline</code>/<code>unsafe-eval</code>), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/CORP/COEP. Also flags Server/X-Powered-By version disclosure.</p> <p>Zero runtime dependencies. CI mode: <code>--ci --min-grade B</code> exits with code 1 if the grade drops.</p> <p><strong>GitHub:</strong> <a href="https://github.com/trustyourwebsite/security-headers" rel="noopener noreferrer">trustyourwebsite/security-headers</a></p> <h2> 3. DNS Email Authentication Auditor </h2> <p>Validates your SPF, DKIM, and DMARC setup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx @trustyourwebsite/dns-auth-check your-domain.com </code></pre> </div> <p>The killer feature: <strong>recursive SPF lookup counting</strong>. Your SPF record might look fine, but every <code>include:</code> triggers a DNS lookup. Google Workspace + Mailchimp + a transactional sender can silently exceed the 10-lookup limit (RFC 7208), breaking SPF without any visible error.</p> <p>Also auto-discovers DKIM selectors (probes 12+ common ones) so you don't need to know yours. Checks DMARC policy, BIMI, MTA-STS.</p> <p>Zero runtime dependencies. Uses <code>node:dns/promises</code>.</p> <p><strong>GitHub:</strong> <a href="https://github.com/trustyourwebsite/dns-auth-check" rel="noopener noreferrer">trustyourwebsite/dns-auth-check</a></p> <p>All three: MIT license, TypeScript, JSON + table output, works on Node 18+. PRs welcome.</p> <p>If you want all of these checks (plus accessibility, image copyright, dark patterns, legal pages) in a single scan: <a href="https://trustyourwebsite.nl" rel="noopener noreferrer">trustyourwebsite.nl</a></p> opensource security webdev privacy