DEV Community: Xlil frhdi The latest articles on DEV Community by Xlil frhdi (@xlil_frhdi_a75b0db385b756). https://dev.to/xlil_frhdi_a75b0db385b756 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3899216%2Fbd03a254-a8a7-4665-b83d-135e08f9bbc0.png DEV Community: Xlil frhdi https://dev.to/xlil_frhdi_a75b0db385b756 en SecAudit: I built a passive web security auditor in Python (TLS, headers, CSP, cookies, DNS — all parallel) Xlil frhdi Sun, 26 Apr 2026 18:37:01 +0000 https://dev.to/xlil_frhdi_a75b0db385b756/secaudit-i-built-a-passive-web-security-auditor-in-python-tls-headers-csp-cookies-dns-all-33ac https://dev.to/xlil_frhdi_a75b0db385b756/secaudit-i-built-a-passive-web-security-auditor-in-python-tls-headers-csp-cookies-dns-all-33ac <h1> SecAudit: Passive Web Security Auditing with a Hacker-Aesthetic Terminal UI </h1> <h2> The problem </h2> <p>Every time I finished a web project, I had to run 5 different tools to check security basics:</p> <ul> <li>testssl.sh for TLS</li> <li>securityheaders.com for headers </li> <li>mxtoolbox for DNS</li> <li>Manual cookie inspection in DevTools</li> <li>Another tool for CSP</li> </ul> <p>None of them gave me a single prioritized view. So I built SecAudit.</p> <h2> What it does </h2> <p>SecAudit is a Python CLI that runs a complete external security posture audit in one command — everything runs in <strong>parallel</strong> via asyncio so it finishes in seconds, not minutes.</p> <h3> Modules: </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>What it checks</th> </tr> </thead> <tbody> <tr> <td><code>tls</code></td> <td>Certificate chain, expiry, protocol version, cipher suites</td> </tr> <tr> <td><code>headers</code></td> <td>HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP</td> </tr> <tr> <td><code>csp</code></td> <td>Content Security Policy completeness and unsafe directives</td> </tr> <tr> <td><code>cookies</code></td> <td>Secure, HttpOnly, SameSite on every Set-Cookie header</td> </tr> <tr> <td><code>cors</code></td> <td>Cross-origin credentialed request permissiveness</td> </tr> <tr> <td><code>csrf</code></td> <td>CSRF token presence and SameSite coverage</td> </tr> <tr> <td><code>dns</code></td> <td>SPF, DKIM, DMARC, CAA records</td> </tr> <tr> <td><code>js</code></td> <td>Source map exposure, debug builds in production</td> </tr> <tr> <td><code>api</code></td> <td>API endpoint fingerprinting</td> </tr> <tr> <td><code>cache</code></td> <td>Proxy/cache header leakage</td> </tr> </tbody> </table></div> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash git clone https://github.com/SllHex/secaudit cd secaudit pip install -r requirements.txt python -m secaudit scan https://your-app.com </code></pre> </div> cli python security showdev