Documentation

Comprehensive guide to using BlackBoxAudit.com for automated security auditing of web applications.

Getting Started

Quick Start

  1. Enter your website URL in the audit form
  2. Click "Start Audit" to begin the security scan
  3. Wait for the analysis to complete (usually 30-60 seconds)
  4. Review your comprehensive security report
  5. Follow the recommendations to fix identified issues

Our service is completely free to use with no registration required.

Security Checks

HTTP Headers

  • • Content-Security-Policy (CSP) presence/strength
  • • X-Frame-Options presence/strength
  • • X-Content-Type-Options (nosniff)
  • • Strict-Transport-Security (HSTS) presence/strength
  • • Referrer-Policy recommendations
  • • Permissions-Policy presence
  • • CORS wildcard + credentials misconfiguration
  • • COOP / COEP presence

SSL/TLS Certificate

  • • Certificate expiry date (alerts if < 30 days)
  • • Expired certificate detection
  • • Issuer/Subject surfaced for review

Crawling & Form Analysis

  • • Shallow crawl (same-origin) to find up to a few subpages
  • • POST forms missing CSRF tokens
  • • Forms submitting to HTTP action URLs
  • • Password fields missing recommended autocomplete values
  • • Inline script detection (CSP hardening signal)

Active Probing & External Signals

  • • Sensitive file probing (e.g. /.env, /.git/config, /web.config)
  • • Soft 404 detection
  • • robots.txt and security.txt discovery
  • • Subresource Integrity (SRI) missing on external scripts
  • • Third-party script domain inventory (supply chain risk signal)
  • • DNS email security: SPF / DMARC presence (via DNS-over-HTTPS)

Understanding Your Report

Security Score

Your overall security score ranges from 0-100 and represents the security posture of your website.

90-100: Excellent security posture
70-89: Good security with room for improvement
50-69: Moderate security concerns
0-49: Critical security issues found

Issue Severity Levels

  • Critical: Immediate action required, high-risk vulnerabilities
  • High: Important security issues that should be addressed soon
  • Medium: Moderate security concerns
  • Low: Minor security improvements
  • Info: Informational findings and best practices

Frequently Asked Questions

How often should I audit my website?

We recommend running security audits at least monthly, or whenever you deploy significant changes to your application.

Is my data secure?

Yes, all audit data is encrypted in transit and at rest. We do not store sensitive information from your website.