📚 Part of the FedRAMP Authorization Guide: Cloud Security for Federal Government Compliance series.
title: 'The Complete Web Application Security Audit Workflow: From Reconnaissance to Remediation' date: '2025-01-07' excerpt: 'Master the complete web application security audit workflow used by security teams worldwide. This comprehensive guide covers reconnaissance, security headers, SSL/TLS analysis, email authentication, privacy compliance, threat intelligence, and remediation planning with practical tools and techniques.' author: 'InventiveHQ Security Team' category: 'Security' tags:
- Web Security
- Security Audit
- OWASP
- Penetration Testing
- Compliance
- SSL/TLS
- Email Security readingTime: 22 featured: true heroImage: "https://images.unsplash.com/photo-1563013544-824ae1b704d3?w=1200&h=630&fit=crop"
Security Headers Analyzer
Test HTTP security headers and get security scores with actionable recommendations
Open the full Security Headers Analyzer tool →Domain Risk Scanner
Comprehensive domain security scan: SSL/TLS, security headers, email authentication, DNS health, HTTPS enforcement, breach history, domain reputation, and privacy compliance — all in one report with a weighted risk score
Open the full Domain Risk Scanner tool →Introduction
In 2025, web applications face an unprecedented threat landscape. According to the Web Application Security Report 2025, 56% of organizations experienced a breach or compromise in the last 12 months—up from 50% the previous year. Web application breaches now account for 25% of all breaches, with the global average cost reaching $4.44 million per incident.
The stakes have never been higher. Malware injection attacks increased to 34% (from 29%), while API security incidents affected 41% of organizations, with 63% resulting in data breaches. Yet companies that contained breaches in under 200 days saved over $1 million compared to slower responders—demonstrating that systematic security audits are not optional, they're essential.
The OWASP Top 10 2025 reflects this evolving threat landscape with two major additions: Software Supply Chain Failures and Mishandling of Exceptional Conditions. Security Misconfiguration jumped from #5 to #2, while Broken Access Control retained the #1 spot for the fourth consecutive year. According to industry research, systematic security audits prevent over 70% of breaches when implemented correctly.
The API-Driven Era and Modern Challenges
Today's web applications are increasingly API-driven, creating new attack surfaces. Application security statistics show that 41% of organizations experienced API security incidents in 2024, with most resulting from authentication failures, injection attacks, and misconfigured access controls. Cloud misconfiguration has become the #1 security challenge (63% of respondents), followed by API security concerns (58%).
Why Systematic Audits Matter
A comprehensive security audit isn't just a compliance checkbox—it's a defensive strategy that:
- Identifies vulnerabilities before attackers do - Proactive discovery beats reactive incident response
- Reduces breach costs by 80%+ - Early detection and remediation dramatically lower financial impact
- Ensures regulatory compliance - GDPR, CCPA, PCI-DSS, HIPAA all require security assessments
- Protects brand reputation - Preventing breaches protects customer trust
- Enables continuous improvement - Quarterly audits build a security-first culture
Audit Workflow Overview
This guide covers the complete 7-stage web application security audit workflow:
- Pre-Audit Reconnaissance & Discovery (10-20 minutes) - Map your attack surface
- Security Headers & Policy Analysis (15-30 minutes) - Evaluate HTTP security posture
- SSL/TLS Certificate & Encryption Analysis (20-40 minutes) - Validate encryption standards
- Email Security & Authentication (30-45 minutes) - Prevent spoofing and phishing
- Privacy & Compliance Analysis (20-30 minutes) - GDPR, CCPA compliance verification
- Threat Intelligence & Attack Surface Management (15-25 minutes) - Monitor active threats
- Audit Documentation & Remediation Planning (30-60 minutes) - Actionable remediation roadmap
Each stage builds on the previous, creating a comprehensive security assessment that transforms raw findings into actionable intelligence.
Who This Guide Is For:
- Security engineers conducting web application assessments
- Penetration testers performing pre-engagement reconnaissance
- DevOps teams implementing security-first pipelines
- Compliance teams preparing for audits (SOC 2, ISO 27001, PCI-DSS)
- CISOs building security assessment programs
Let's begin with reconnaissance—understanding your attack surface before auditing security controls.
Stage 1: Pre-Audit Reconnaissance & Discovery (10-20 minutes)
Before you can secure an application, you must understand its complete attack surface. Modern web applications rarely consist of a single domain—they span subdomains, APIs, CDNs, third-party integrations, and cloud services. Missing even one subdomain can leave a critical vulnerability undetected.
Step 1.1: Domain & Subdomain Discovery
Goal: Create a complete inventory of all web assets, subdomains, and DNS records.
Why This Matters: Attackers don't just target your main website—they hunt for forgotten subdomains, staging environments, development servers, and API endpoints that may have weaker security controls. A comprehensive penetration testing methodology always begins with reconnaissance.
Certificate Transparency Lookup
Tool: Certificate Transparency Lookup
Certificate Transparency (CT) logs provide a public, append-only record of all SSL/TLS certificates issued for your domain. This is a goldmine for subdomain discovery.
How to Use:
- Navigate to the Certificate Transparency Lookup tool
- Enter your primary domain (e.g.,
example.com) - Search CT logs from multiple providers (crt.sh, Google CT, Censys)
- Export the complete list of discovered subdomains
What You'll Find:
Primary Domain: example.com
├── www.example.com (Production website)
├── api.example.com (REST API endpoint)
├── staging.example.com (Staging environment - potential vulnerability)
├── dev.example.com (Development server - often poorly secured)
├── mail.example.com (Email server)
├── vpn.example.com (VPN gateway)
└── forgotten-project.example.com (Abandoned subdomain - high risk)
Security Insight: CT logs reveal unauthorized certificate issuance attempts—if you see certificates for your domain that you didn't request, you may have a compromised DNS account or a typosquatting campaign targeting your organization.
DNS Record Analysis
Tool: DNS Lookup
DNS records expose critical infrastructure details and potential security gaps.
Record Types to Analyze:
| Record Type | Security Significance |
|---|---|
| A/AAAA | Web server IP addresses, geolocation, hosting provider |
| MX | Email infrastructure, SPF/DMARC requirements |
| TXT | SPF, DKIM, DMARC, domain verification tokens |
| CNAME | Third-party services, CDN configurations |
| NS | Authoritative nameservers, DNS security status |
| CAA | Certificate Authority Authorization (prevents unauthorized SSL issuance) |
Example DNS Analysis:
example.com DNS Analysis:
A Records:
example.com → 192.0.2.100 (Primary web server)
www.example.com → 192.0.2.100 (Same as root - good)
MX Records:
example.com → mail.example.com (Priority: 10)
⚠️ Missing SPF record - email spoofing vulnerability
TXT Records:
v=spf1 include:_spf.google.com ~all (Present - good)
⚠️ Missing DMARC record - no email authentication policy
CAA Records:
⚠️ No CAA records found - any CA can issue certificates
DNSSEC:
✓ DNSSEC enabled - DNS responses are cryptographically signed
DNS Lookup Tool Features:
- Query all record types simultaneously
- Email security health scoring (SPF, DKIM, DMARC detection)
- DNSSEC validation status
- Historical DNS record tracking
WHOIS Registration Analysis
Tool: WHOIS Lookup
WHOIS data reveals domain ownership, registration dates, and expiration timelines—critical for understanding your organization's digital footprint.
Key Information to Extract:
- Domain Expiration Date - Domains expiring within 90 days need immediate renewal attention
- Registrar Information - Validate authorized registrar to detect domain hijacking
- Nameservers - Confirm DNS hosting provider matches your records
- Registration Date - Newly registered domains (< 30 days) associated with your organization may indicate typosquatting
Security Red Flags:
Domain: example.com
Registered: 2010-03-15 (15 years old - legitimate)
Expires: 2025-03-15 (Expires in 68 days - ⚠️ RENEWAL REQUIRED)
Registrar: Example Registrar Inc.
Nameservers: ns1.example-dns.com, ns2.example-dns.com
Privacy Protection: Disabled (Contact info visible)
⚠️ ACTION REQUIRED:
- Domain expires in 68 days - set up auto-renewal
- Privacy protection disabled - enables social engineering attacks
Step 1.2: Initial Risk Assessment
IP Risk & Geolocation Analysis
Tool: IP Risk Checker
Not all IP addresses are created equal. Your web servers could be flagged on blocklists, hosted in high-risk jurisdictions, or sharing infrastructure with malicious actors.
What This Tool Checks:
- Geolocation & ISP - Physical location, hosting provider, ASN
- Threat Intelligence - Blocklist status (Spamhaus, SURBL, Project Honey Pot)
- Fraud Scoring - VPN/proxy detection, historical abuse reports
- Reputation Analysis - Email reputation, DDoS mitigation status
Example Analysis:
IP Address: 192.0.2.100
Geolocation: San Francisco, CA, USA
ISP: Cloudflare Inc. (AS13335)
Hosting Type: Content Delivery Network (CDN)
Threat Intelligence:
✓ No blocklist matches (Clean)
✓ No abuse reports in last 90 days
✓ Email reputation: Excellent
Risk Score: 2/100 (Very Low Risk)
High-Risk Indicators:
- IP listed on 3+ spam blocklists (email deliverability issues)
- Geolocation mismatch (server located in unexpected country)
- Shared hosting with known malicious sites
- Recent abuse reports (DDoS, phishing, malware hosting)
Domain Spoofing & Typosquatting Detection
Tool: Domain Spoofing Detector
Attackers register domains that look like yours to conduct phishing attacks, distribute malware, or steal credentials. These include:
- Typosquatting:
examp1e.com(1 instead of l) - Homograph Attacks:
еxample.com(Cyrillic 'е' instead of Latin 'e') - TLD Variations:
example.org,example.net,example.co - Subdomain Impersonation:
www-example.com,example-login.com
How to Use:
- Enter your primary domain
- Generate all common spoofing variations (500+ patterns)
- Check which domains are already registered
- Identify active phishing campaigns
Example Output:
Primary Domain: example.com
Registered Typosquatting Domains:
⚠️ exampl3.com (Registered 2024-12-15 - ACTIVE PHISHING SITE)
⚠️ example-secure-login.com (Registered 2024-11-20 - Credential harvesting)
⚠️ еxample.com (Cyrillic homograph - Registered 2024-10-05)
Recommended Defensive Registrations:
☐ examp1e.com (Available - register to prevent abuse)
☐ example.org (Available - protect your brand)
☐ example.net (Available - defensive registration)
Defensive Actions:
- Register high-risk variations proactively
- Monitor newly registered similar domains (use CT logs)
- File takedown requests for active phishing sites
- Implement DMARC
p=rejectto prevent email spoofing (Stage 4)
robots.txt Security Analysis
Tool: robots.txt Analyzer
The robots.txt file tells search engines which paths to crawl—but it also tells attackers where to find sensitive directories, admin panels, and hidden resources.
Security Issues to Check:
1. Sensitive Path Disclosure
User-agent: *
Disallow: /admin/ ⚠️ Admin panel location revealed
Disallow: /backup/ ⚠️ Backup files location disclosed
Disallow: /api/internal/ ⚠️ Internal API endpoints exposed
Disallow: /.git/ ⚠️ Git repository accessible
Disallow: /config/ ⚠️ Configuration files visible
Why This Is Dangerous:
The Disallow directive doesn't protect these paths—it just tells robots not to crawl them. Attackers ignore robots.txt and directly access these URLs.
2. Missing Critical Disallows
User-agent: *
Disallow: /
⚠️ WARNING: Entire site blocked from search engines
This configuration prevents legitimate indexing
3. Sitemap Discovery
Sitemap: https://example.com/sitemap.xml
✓ Good: Helps search engines discover content
⚠️ Also helps attackers map your site structure
robots.txt Analyzer Features:
- Parse
robots.txtsyntax and validate directives - Identify sensitive path disclosures
- Test if specific URLs are allowed/disallowed
- Security scoring with remediation recommendations
Best Practices:
- Never use
Disallowfor sensitive paths—use proper authentication instead - Sensitive directories should return 403 Forbidden or 404 Not Found, not rely on robots.txt
- Use web application firewalls (WAFs) to protect admin panels
- Remove
.git,/backup,/configdirectories from production servers entirely
Step 1.3: Reconnaissance Output & Deliverables
After 15-20 minutes of reconnaissance, you should have:
-
Complete Asset Inventory
-
All subdomains discovered (CT logs, DNS brute-forcing)
-
All DNS records documented (A, MX, TXT, CAA, NS)
-
Domain registration details (WHOIS data, expiration dates)
-
Initial Risk Assessment
-
IP reputation scores and blocklist status
-
Geolocation and hosting provider analysis
-
Typosquatting and homograph attack detection
-
robots.txt security analysis
-
Attack Surface Map
Example.com Attack Surface Summary:
Primary Assets:
- example.com (Production)
- www.example.com (Production)
- api.example.com (REST API)
High-Risk Discoveries:
⚠️ staging.example.com (No authentication detected)
⚠️ dev.example.com (Directory listing enabled)
⚠️ backup.example.com (Exposed backup files)
Typosquatting Threats:
⚠️ 3 active phishing domains detected
Missing Security Controls:
⚠️ No CAA records (unauthorized cert issuance possible)
⚠️ No DMARC policy (email spoofing risk)
⚠️ robots.txt exposes sensitive paths
Next Steps: With a complete attack surface map, proceed to Stage 2: Security Headers Analysis to evaluate HTTP security controls.
Stage 2: Security Headers & Policy Analysis (15-30 minutes)
HTTP security headers are your first line of defense against client-side attacks. They instruct browsers to enforce security policies—preventing XSS, clickjacking, MIME sniffing, and other common exploits. According to Maelstrom Web Services, security headers are "table stakes for compliance demonstration" in 2025, not optional enhancements.
Yet research shows that security misconfiguration—including missing or improperly configured headers—jumped from #5 to #2 in the OWASP Top 10 2025, affecting 94% of tested applications.
Step 2.1: HTTP Security Headers Assessment
Tool: Security Headers Analyzer
This tool tests 15+ critical headers and provides an A-F security grade with actionable recommendations.
Critical Headers Explained
1. Content-Security-Policy (CSP)
CSP is the most powerful security header—it defines which content sources browsers should trust, preventing XSS attacks even when vulnerabilities exist in your code.
Example Policy:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-r4nd0m123';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
What This Policy Does:
default-src 'self'- Only load resources from same origin by defaultscript-src 'self' 'nonce-r4nd0m123'- Only execute scripts from same origin or with matching nonce (prevents inline XSS)frame-ancestors 'none'- Prevent embedding in iframes (clickjacking protection)
CSP Violations to Avoid:
❌ BAD: script-src 'unsafe-inline' 'unsafe-eval'
Why: Defeats XSS protection entirely
❌ BAD: default-src *
Why: Allows loading from ANY origin (no protection)
❌ BAD: script-src https:
Why: Allows scripts from any HTTPS site (still vulnerable)
Implementation Tip: Use CSP Policy Generator to build a compliant policy with nonce/hash support.
2. Strict-Transport-Security (HSTS)
HSTS forces browsers to only connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking.
Recommended Configuration:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Directive Breakdown:
max-age=31536000- Enforce HTTPS for 1 year (365 days)includeSubDomains- Apply to all subdomainspreload- Include in browser preload lists (Chrome, Firefox, Safari)
WARNING: HSTS preload is permanent for practical purposes. According to Mozilla's guidelines, removal from preload lists takes 6-12 months and requires coordination with all major browsers. Only add preload after ensuring all subdomains support HTTPS.
HSTS Best Practices:
- Start with
max-age=300(5 minutes) for testing - Gradually increase: 1 week → 1 month → 1 year
- Add
includeSubDomainsonly after subdomain HTTPS verification - Submit to hstspreload.org only when ready for permanent enforcement
3. X-Frame-Options
Prevents clickjacking attacks by controlling whether your site can be embedded in <iframe> elements.
Configuration Options:
X-Frame-Options: DENY ✓ Best (never allow framing)
X-Frame-Options: SAMEORIGIN ✓ Good (allow same-origin framing)
X-Frame-Options: ALLOW-FROM url ❌ Deprecated (use CSP instead)
Modern Alternative: Use CSP's frame-ancestors directive:
Content-Security-Policy: frame-ancestors 'none'; (Equivalent to DENY)
Content-Security-Policy: frame-ancestors 'self'; (Equivalent to SAMEORIGIN)
Content-Security-Policy: frame-ancestors https://trusted.com; (Selective allowing)
4. X-Content-Type-Options
Prevents MIME-sniffing attacks where browsers "guess" content types, potentially executing malicious scripts.
Configuration:
X-Content-Type-Options: nosniff
Why This Matters:
Without this header, a browser might execute malicious.jpg as JavaScript if it contains script code—bypassing upload filters.
5. Referrer-Policy
Controls how much referrer information is sent with requests.
Recommended Configuration:
Referrer-Policy: strict-origin-when-cross-origin
Policy Options:
no-referrer- Never send referrer (breaks analytics)strict-origin-when-cross-origin- Send origin for HTTPS→HTTP, full path for same-origin (balanced)no-referrer-when-downgrade- Default browser behavior (less private)
6. Permissions-Policy (formerly Feature-Policy)
Controls which browser features and APIs can be used (camera, microphone, geolocation, payment, etc.).
Example Configuration:
Permissions-Policy:
geolocation=(),
microphone=(),
camera=(),
payment=(self),
usb=()
What This Does:
geolocation=()- Disable geolocation API entirelypayment=(self)- Allow payment API only from same origincamera=()- Disable camera access (prevents webcam hijacking)
Use Case: If your application doesn't need camera access, disable it. This prevents third-party scripts from accessing webcams.
Security Headers Analyzer Output
Example Scan Results:
Site: https://example.com
Scan Date: 2025-01-07 10:30:00 UTC
Security Grade: C+ (67/100)
Header Status:
✓ Strict-Transport-Security: max-age=31536000; includeSubDomains
✓ X-Content-Type-Options: nosniff
✓ X-Frame-Options: DENY
⚠️ Content-Security-Policy: Missing (CRITICAL)
⚠️ Referrer-Policy: Missing
⚠️ Permissions-Policy: Missing
❌ X-XSS-Protection: Deprecated (remove this header)
Critical Issues:
1. No Content-Security-Policy - Vulnerable to XSS attacks
2. Missing Referrer-Policy - Leaking sensitive URL parameters
3. Missing Permissions-Policy - Unnecessary API access enabled
Quick Wins (Immediate Implementation):
Content-Security-Policy: default-src 'self'; script-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Step 2.2: Content Security Policy Generation
Tool: CSP Policy Generator
Building a CSP policy from scratch is complex—the generator provides a directive-by-directive wizard with preset templates.
CSP Generator Features
1. Directive Builder
Source Directives:
default-src: 'self'
script-src: 'self' 'nonce-{random}'
style-src: 'self' 'unsafe-inline'
img-src: 'self' data: https:
font-src: 'self' https://fonts.gstatic.com
connect-src: 'self' https://api.example.com
media-src: 'self'
object-src: 'none'
frame-src: 'none'
frame-ancestors: 'none'
base-uri: 'self'
form-action: 'self'
2. Nonce/Hash Support
Using Nonces (Recommended):
<!-- Server generates random nonce per request -->
Content-Security-Policy: script-src 'nonce-r4nd0m123'
<!-- HTML includes matching nonce -->
<script nonce="r4nd0m123">
console.log('This script is allowed');
</script>
<!-- Scripts without nonce are blocked -->
<script>
console.log('This script is BLOCKED');
</script>
Using Hashes (Static Content):
Content-Security-Policy: script-src 'sha256-abc123def456...'
<!-- Hash of this exact script matches CSP -->
<script>console.log('Allowed via hash');</script>
3. Common CSP Bypass Prevention
The generator validates against common bypasses:
'unsafe-inline'with nonces/hashes (nonces override unsafe-inline in modern browsers)- Wildcard origins (
https:instead of specific domains) - JSONP endpoints in
script-src - Overly permissive
default-src
4. Report-Only Mode for Testing
Before enforcing CSP, test with report-only mode:
Content-Security-Policy-Report-Only:
default-src 'self';
report-uri /csp-violation-report
This logs violations without blocking content—allowing you to identify legitimate resources before enforcement.
CSP Deployment Roadmap:
- Week 1-2: Deploy in report-only mode, collect violations
- Week 3-4: Analyze reports, update policy to allow legitimate resources
- Week 5-6: Enforce policy in staging environment
- Week 7+: Full production enforcement with monitoring
Step 2.3: CORS Policy Analysis
Tool: CORS Policy Analyzer
Cross-Origin Resource Sharing (CORS) controls which external domains can access your APIs. Misconfigurations can expose sensitive data to malicious sites.
Common CORS Vulnerabilities
1. Wildcard Origin with Credentials
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
❌ CRITICAL VULNERABILITY
Why: Allows ANY site to make authenticated requests
Impact: Session hijacking, data theft
Secure Alternative:
Access-Control-Allow-Origin: https://trusted-app.com
Access-Control-Allow-Credentials: true
✓ Only trusted-app.com can make credentialed requests
2. Reflected Origin Without Validation
# Vulnerable code
origin = request.headers.get('Origin')
response.headers['Access-Control-Allow-Origin'] = origin # ❌ DANGEROUS
# Attacker request:
Origin: https://evil.com
# Server reflects:
Access-Control-Allow-Origin: https://evil.com # ❌ Allows evil.com access
Secure Implementation:
# Secure code
ALLOWED_ORIGINS = ['https://app.example.com', 'https://admin.example.com']
origin = request.headers.get('Origin')
if origin in ALLOWED_ORIGINS:
response.headers['Access-Control-Allow-Origin'] = origin # ✓ Validated
3. Overly Permissive Methods/Headers
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, TRACE
Access-Control-Allow-Headers: *
⚠️ WARNING: Allows all HTTP methods and headers
Recommendation: Only allow required methods/headers
Secure Configuration:
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
CORS Analyzer Features
1. Misconfiguration Detection
- Wildcard + credentials check
- Reflected origin validation
- Preflight request testing
- Credential exposure analysis
2. Common Attack Scenarios
Test Case 1: Wildcard with Credentials
Request Origin: https://evil.com
CORS Headers: Access-Control-Allow-Origin: *
Credentials: Access-Control-Allow-Credentials: true
Result: ❌ VULNERABLE (Session hijacking possible)
Test Case 2: Origin Reflection
Request Origin: https://malicious.net
CORS Headers: Access-Control-Allow-Origin: https://malicious.net
Result: ⚠️ WARNING (Validate origins against allowlist)
Test Case 3: Secure Configuration
Request Origin: https://trusted-app.com
CORS Headers: Access-Control-Allow-Origin: https://trusted-app.com
Credentials: Access-Control-Allow-Credentials: true
Result: ✓ SECURE (Explicit origin, credentials allowed)
3. Remediation Guidance
Findings for api.example.com:
❌ CRITICAL: Wildcard origin with credentials enabled
Current: Access-Control-Allow-Origin: *
Fix: Access-Control-Allow-Origin: https://app.example.com
⚠️ WARNING: All HTTP methods allowed
Current: Access-Control-Allow-Methods: *
Fix: Access-Control-Allow-Methods: GET, POST
✓ GOOD: Appropriate max-age configured
Current: Access-Control-Max-Age: 86400
Step 2.4: Security Headers Stage Output
After 20-30 minutes of headers analysis, you should have:
-
Complete Headers Inventory
-
All 15+ critical headers tested
-
Security grade (A-F) with scoring breakdown
-
Missing headers identified
-
CSP Policy Blueprint
-
Custom CSP policy generated for your application
-
Nonce/hash implementation plan
-
Report-only testing configuration
-
CORS Security Assessment
-
Misconfiguration detection (wildcard, reflected origins)
-
Vulnerability severity ratings
-
Remediation recommendations
-
Implementation Priority List
Priority 1 (Deploy This Week):
☐ Add Content-Security-Policy header
☐ Enable HSTS with preload
☐ Fix CORS wildcard vulnerability
Priority 2 (Deploy This Month):
☐ Configure Permissions-Policy
☐ Add Referrer-Policy
☐ Implement CSP nonces for inline scripts
Priority 3 (Continuous):
☐ Monitor CSP violation reports
☐ Quarterly header compliance testing
☐ Update policies as application evolves
Next Steps: Proceed to Stage 3: SSL/TLS Certificate Analysis to validate encryption standards.
Stage 3: SSL/TLS Certificate & Encryption Analysis (20-40 minutes)
SSL/TLS encryption is non-negotiable for modern web applications. According to Citrix's TLS Best Practices (Q1 2025 Edition), organizations must disable TLS 1.0/1.1, use minimum 2048-bit RSA keys, and enable TLS 1.3 for optimal security. Yet SSL/TLS certificate statistics show that 23% of certificates use weak ciphers and 17% are expired or about to expire.
Step 3.1: Certificate Chain Validation
Tool: X.509 Certificate Decoder
SSL/TLS certificates prove your server's identity and enable encrypted communication. The decoder parses and analyzes certificate details, expiration dates, key strength, and chain integrity.
Certificate Components Analysis
1. Subject Distinguished Name (Subject DN)
The Subject DN identifies who the certificate belongs to.
Example:
Subject DN:
Common Name (CN): example.com
Organization (O): Example Corporation
Organizational Unit (OU): IT Department
Locality (L): San Francisco
State/Province (ST): California
Country (C): US
Validation Checks:
- CN matches your domain exactly
- Organization name is correct and current
- No typos or unusual characters (check for homograph attacks)
2. Issuer Distinguished Name (Issuer DN)
The Issuer DN identifies the Certificate Authority (CA) that signed the certificate.
Example:
Issuer DN:
Common Name (CN): DigiCert Global Root G2
Organization (O): DigiCert Inc
Country (C): US
✓ Trusted CA (DigiCert)
✓ Valid certificate chain
Red Flags:
- Self-signed certificates in production (only acceptable in development)
- Unknown or untrusted CA
- Issuer mismatch (certificate chain broken)
3. Validity Period
Certificates have finite lifespans. Modern best practices recommend 1-year maximum validity.
Example:
Validity Period:
Not Before: 2024-06-15 00:00:00 UTC
Not After: 2025-06-15 23:59:59 UTC
Days Until Expiration: 159 days
Status: ✓ Valid (Renew in 90 days)
Expiration Risk Levels:
- > 90 days: Safe
- 30-90 days: Plan renewal
- 7-30 days: Urgent renewal required
- < 7 days: CRITICAL - Immediate action
- Expired: Production outage imminent
Automation Tip: Set up certificate monitoring with alerts at 90, 60, 30, and 7 days before expiration. Use Let's Encrypt with automated renewal via ACME protocol.
4. Public Key Algorithm & Key Strength
Certificate security depends on key strength—weak keys can be brute-forced.
Current Standards (2025):
RSA:
✓ 2048-bit minimum (industry standard)
✓ 4096-bit recommended for high-security
❌ 1024-bit or less (DEPRECATED - vulnerable)
ECDSA (Elliptic Curve):
✓ 256-bit (equivalent to 3072-bit RSA)
✓ 384-bit (equivalent to 7680-bit RSA)
Example Analysis:
Public Key Info:
Algorithm: RSA
Key Size: 2048 bits
Signature Algorithm: SHA-256 with RSA Encryption
✓ Meets minimum requirements (2048-bit RSA)
⚠️ Consider upgrading to 4096-bit for long-term security
✓ SHA-256 signature (secure)
Deprecated Algorithms to Avoid:
- MD5 signatures (broken since 2008)
- SHA-1 signatures (deprecated 2017)
- RSA 1024-bit or less (brute-forceable)
5. Subject Alternative Names (SANs)
SANs allow one certificate to secure multiple domains.
Example:
Subject Alternative Names (SANs):
DNS: example.com
DNS: www.example.com
DNS: api.example.com
DNS: *.staging.example.com
✓ Covers primary domain and www subdomain
✓ API endpoint included
⚠️ Wildcard for staging subdomains (verify necessity)
Wildcard Certificate Security:
*.example.com- Covers all first-level subdomains (api.example.com, www.example.com)- Does NOT cover
sub.api.example.com(multi-level subdomain) - Risk: If one subdomain is compromised, attacker can impersonate all subdomains
Best Practice: Use specific SANs for production domains, wildcards only for development/staging.
6. Certificate Extensions
Extensions provide additional security controls.
Critical Extensions:
Extended Key Usage:
✓ TLS Web Server Authentication
✓ TLS Web Client Authentication
Basic Constraints:
✓ CA: FALSE (Not a Certificate Authority)
Key Usage:
✓ Digital Signature
✓ Key Encipherment
Authority Information Access (AIA):
✓ OCSP Responder: http://ocsp.digicert.com
✓ CA Issuers: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Why OCSP Matters: OCSP (Online Certificate Status Protocol) allows browsers to check if a certificate has been revoked in real-time—critical for responding to compromised certificates.
X.509 Decoder Features
1. Complete Certificate Parsing
- Upload .pem, .crt, .cer, or paste PEM text
- Parse certificate chains (root, intermediate, leaf)
- Extract all fields and extensions
2. Security Validation
Certificate Security Analysis:
✓ Valid certificate chain (3 certificates)
✓ Root CA trusted by browsers
✓ Key strength adequate (2048-bit RSA)
⚠️ Certificate expires in 45 days - RENEWAL REQUIRED
✓ SHA-256 signature algorithm (secure)
✓ SAN includes www subdomain
✓ OCSP stapling supported
Security Score: B+ (85/100)
3. Chain Verification
Certificate Chain:
1. example.com (Leaf Certificate)
├── Issued by: DigiCert TLS RSA SHA256 2020 CA1
├── Expires: 2025-06-15
└── Status: ✓ Valid
2. DigiCert TLS RSA SHA256 2020 CA1 (Intermediate)
├── Issued by: DigiCert Global Root G2
├── Expires: 2030-04-13
└── Status: ✓ Valid
3. DigiCert Global Root G2 (Root CA)
├── Self-signed
├── Expires: 2038-01-15
└── Status: ✓ Trusted
Broken Chain Example:
❌ CRITICAL: Intermediate certificate missing
Browser Error: NET::ERR_CERT_AUTHORITY_INVALID
Fix: Install DigiCert TLS RSA SHA256 2020 CA1 intermediate certificate
Download: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt
Step 3.2: Certificate Transparency Monitoring
Tool: Certificate Transparency Lookup
CT logs provide transparency into all SSL/TLS certificates issued for your domain—detecting unauthorized issuance attempts and wildcard certificate abuse.
Why Certificate Transparency Matters
In 2011, DigiNotar was compromised, and attackers issued fraudulent certificates for Google, enabling man-in-the-middle attacks. Certificate Transparency prevents this by requiring CAs to log all issued certificates in public, append-only logs.
CT Lookup Use Cases:
1. Unauthorized Certificate Detection
CT Log Search: example.com
Recent Certificates:
2025-01-05: example.com, www.example.com (DigiCert) ✓ Authorized
2025-01-03: *.example.com (Let's Encrypt) ✓ Authorized
2024-12-28: example.com (Sectigo) ⚠️ UNAUTHORIZED
❌ ALERT: Unknown certificate issued by Sectigo
Action: Investigate CA account compromise, revoke certificate
2. Wildcard Certificate Discovery
Wildcard Certificates for example.com:
*.example.com (Let's Encrypt) - Issued: 2025-01-03
*.api.example.com (DigiCert) - Issued: 2024-11-15
*.staging.example.com (Self-Signed) - ⚠️ Untrusted CA
3. Subdomain Enumeration (Reconnaissance)
Attackers use CT logs to discover subdomains—the same technique you used in Stage 1.
Example:
CT Log Results for example.com:
Discovered Subdomains (via SAN fields):
- api.example.com
- staging.example.com
- dev.example.com
- internal.example.com ⚠️ Exposed internal subdomain
- vpn.example.com
- mail.example.com
Privacy Consideration: Any domain in a certificate's SAN field becomes publicly visible in CT logs. Avoid including sensitive internal hostnames in public certificates.
CT Monitoring Setup
1. Automated Monitoring Services
- Facebook CT Monitor (free)
- crt.sh (free search)
- SSLMate CertSpotter (paid monitoring)
2. Alert Configuration
Monitor: example.com
Alert Conditions:
✓ New certificates issued (any CA)
✓ Wildcard certificates issued
✓ Certificates from unauthorized CAs
✓ Unusual SANs (typosquatting patterns)
Notification: Email, Slack, PagerDuty
Step 3.3: Protocol & Cipher Suite Testing
Tool: SSL Checker (Coming Soon)
While this tool is under development, external services like SSL Labs provide comprehensive TLS testing.
TLS Protocol Versions
2025 Standards:
TLS 1.3: ✓ REQUIRED (fastest, most secure)
TLS 1.2: ✓ ACCEPTABLE (with strong ciphers only)
TLS 1.1: ❌ DEPRECATED (disable immediately)
TLS 1.0: ❌ DEPRECATED (disable immediately)
SSL 3.0: ❌ INSECURE (vulnerable to POODLE)
SSL 2.0: ❌ INSECURE (broken protocol)
According to SSL.com's Best Practices, TLS 1.3 is preferred as it offers:
- Faster handshake (1 round-trip vs 2)
- Simpler cipher selection (only secure ciphers)
- Perfect Forward Secrecy (PFS) by default
- Improved resistance to downgrade attacks
Configuration Example (Nginx):
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
Cipher Suite Configuration
Recommended Cipher Suites (TLS 1.2):
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Why These Are Secure:
- ECDHE - Elliptic Curve Diffie-Hellman Ephemeral (Perfect Forward Secrecy)
- AES-GCM / ChaCha20-Poly1305 - Authenticated Encryption with Associated Data (AEAD)
- SHA256 / SHA384 - Strong hashing algorithms
Insecure Ciphers to Disable:
❌ TLS_RSA_WITH_3DES_EDE_CBC_SHA (Weak 3DES encryption)
❌ TLS_RSA_WITH_RC4_128_SHA (Broken RC4 algorithm)
❌ TLS_RSA_WITH_AES_128_CBC_SHA (No forward secrecy, CBC mode)
❌ Any cipher with MD5 or SHA-1 signatures
Perfect Forward Secrecy (PFS):
PFS ensures that compromising your server's private key cannot decrypt past sessions. Only ciphers with DHE or ECDHE provide PFS.
Example:
Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
✓ Ephemeral key exchange (ECDHE)
✓ Perfect Forward Secrecy enabled
✓ 256-bit AES-GCM (authenticated encryption)
✓ SHA-384 hashing
If private key is compromised:
✓ Past sessions remain encrypted (PFS protection)
❌ Future sessions vulnerable (key must be replaced)
Common SSL/TLS Vulnerabilities
1. POODLE (Padding Oracle On Downgraded Legacy Encryption)
Vulnerability: SSL 3.0 CBC mode cipher vulnerability
Fix: Disable SSL 3.0 entirely
2. Heartbleed (CVE-2014-0160)
Vulnerability: OpenSSL memory leak (critical data exposure)
Fix: Update OpenSSL to 1.0.1g or later
3. BEAST (Browser Exploit Against SSL/TLS)
Vulnerability: TLS 1.0 CBC cipher vulnerability
Fix: Disable TLS 1.0, use TLS 1.2+
4. CRIME / BREACH (Compression Attacks)
Vulnerability: TLS compression leaks secrets
Fix: Disable TLS compression, minimize dynamic secrets in responses
Step 3.4: Certificate Generation & Renewal
Tool: Certificate CSR Generator
Certificate Signing Requests (CSRs) are required when requesting certificates from CAs.
CSR Generation Features
1. Interactive CSR Builder
Certificate Information:
Common Name (CN): example.com
Organization (O): Example Corporation
Organizational Unit (OU): IT Department
Locality (L): San Francisco
State (ST): California
Country (C): US
Subject Alternative Names:
- www.example.com
- api.example.com
Key Parameters:
Algorithm: RSA
Key Size: 2048 bits
Generate: [Private Key + CSR]
2. Format Conversion
Input Format: PEM
Output Formats:
☐ PEM (Apache, Nginx)
☐ DER (Java, Windows)
☐ PFX/P12 (IIS, Exchange)
☐ P7B (PKCS#7 certificate chain)
3. Certificate Chain Verification
Upload your certificate and intermediates to verify proper chain configuration:
Chain Verification:
✓ Root CA: DigiCert Global Root G2 (Trusted)
✓ Intermediate: DigiCert TLS RSA SHA256 2020 CA1
✓ Leaf: example.com
All certificates valid and properly ordered
Certificate Renewal Best Practices
According to SSL Dragon's Best Practices, organizations should:
- Renew at least yearly - Shorter validity = faster revocation response
- Generate new private keys - Reusing old keys increases compromise risk
- Use automation - Let's Encrypt with ACME protocol, cloud provider APIs
- Test in staging first - Verify renewal process before production
- Monitor expiration - Set alerts at 90, 60, 30, 7 days before expiration
Automated Renewal Example (Let's Encrypt with Certbot):
# Install Certbot
apt-get install certbot python3-certbot-nginx
# Obtain certificate
certbot --nginx -d example.com -d www.example.com
# Automatic renewal (cron job runs twice daily)
0 */12 * * * certbot renew --quiet
Step 3.5: SSL/TLS Stage Output
After 30-40 minutes of SSL/TLS analysis, you should have:
-
Certificate Health Report
-
Certificate chain validation (root, intermediate, leaf)
-
Expiration timeline (renewal schedule)
-
Key strength assessment (algorithm, bit length)
-
SAN coverage verification
-
Protocol & Cipher Assessment
-
TLS version support (1.2, 1.3 enabled; 1.0, 1.1 disabled)
-
Cipher suite security (PFS enabled, weak ciphers removed)
-
Vulnerability scan (Heartbleed, POODLE, BEAST, etc.)
-
Certificate Transparency Monitoring
-
Unauthorized certificate detection
-
Wildcard certificate inventory
-
CT monitoring alerts configured
-
Remediation Roadmap
Critical (This Week):
☐ Renew certificate expiring in 12 days
☐ Disable TLS 1.0 and TLS 1.1
☐ Remove weak cipher suites
High Priority (This Month):
☐ Enable TLS 1.3
☐ Implement OCSP stapling
☐ Install missing intermediate certificate
☐ Set up CT monitoring alerts
Medium Priority (This Quarter):
☐ Upgrade to 4096-bit RSA keys
☐ Implement automated certificate renewal
☐ Add CAA DNS records
Next Steps: Proceed to Stage 4: Email Security & Authentication to prevent spoofing and phishing.
Related Guides
This guide was condensed for readability; deep-dive specifics live in the related guides above.