DEV Community

Cover image for We're open-sourcing 3 CLI tools for website compliance testing
Steven Kop
Steven Kop

Posted on

We're open-sourcing 3 CLI tools for website compliance testing

#privacy #security #webdev #opensource

We built a scanner for European websites. Along the way we extracted three internal tools that work great standalone. All MIT licensed, all CI-friendly.

1. Cookie Consent Validator

Clicks "Reject All" on your cookie banner and checks if tracking actually stops.

npx @trustyourwebsite/cookie-consent-validator https://your-site.com
Enter fullscreen mode Exit fullscreen mode

Detects the CMP (Cookiebot, OneTrust, Complianz, CookieYes, Iubenda, generic), records cookies and network requests before and after rejection, flags violations.

Most cookie banners are decorative. The Dutch DPA fined Kruidvat (€600K) and Coolblue (€40K) for banners that didn't actually work. This tool catches that.

GitHub: trustyourwebsite/cookie-consent-validator

2. Security Headers Checker

Grades your security headers A+ to F with specific remediation advice.

npx @trustyourwebsite/security-headers https://your-site.com
Enter fullscreen mode Exit fullscreen mode

Checks HSTS, CSP (full directive parsing, flags unsafe-inline/unsafe-eval), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/CORP/COEP. Also flags Server/X-Powered-By version disclosure.

Zero runtime dependencies. CI mode: --ci --min-grade B exits with code 1 if the grade drops.

GitHub: trustyourwebsite/security-headers

3. DNS Email Authentication Auditor

Validates your SPF, DKIM, and DMARC setup.

npx @trustyourwebsite/dns-auth-check your-domain.com
Enter fullscreen mode Exit fullscreen mode

The killer feature: recursive SPF lookup counting. Your SPF record might look fine, but every include: triggers a DNS lookup. Google Workspace + Mailchimp + a transactional sender can silently exceed the 10-lookup limit (RFC 7208), breaking SPF without any visible error.

Also auto-discovers DKIM selectors (probes 12+ common ones) so you don't need to know yours. Checks DMARC policy, BIMI, MTA-STS.

Zero runtime dependencies. Uses node:dns/promises.

GitHub: trustyourwebsite/dns-auth-check

All three: MIT license, TypeScript, JSON + table output, works on Node 18+. PRs welcome.

If you want all of these checks (plus accessibility, image copyright, dark patterns, legal pages) in a single scan: trustyourwebsite.nl

Top comments (0)