What We Check

CodeFrog performs comprehensive, non-invasive security scanning using safe, read-only HTTP requests (HEAD/GET/OPTIONS). All checks are organized by category and designed to identify common security misconfigurations and vulnerabilities without modifying or disrupting your site.

Important: CodeFrog's security scanning is designed to be safe and non-invasive. All checks use read-only HTTP methods and do not attempt to exploit vulnerabilities. However, only scan websites and systems that you own or have explicit written authorization to test. See our Security Scanning Policy for details.

Security Headers

HTTP response headers that instruct browsers how to handle your site's content. Missing or misconfigured headers leave your site vulnerable to common attacks.

HSTS (Strict-Transport-Security): Presence on HTTPS responses to enforce secure connections
X-Content-Type-Options: nosniff: Prevents MIME-sniffing and content type confusion attacks
Referrer-Policy: Controls referrer information leakage to third-party sites
X-Frame-Options / CSP frame-ancestors: Prevents clickjacking attacks
Content-Security-Policy (CSP): Restricts resource loading sources; flags risky directives (unsafe-inline, unsafe-eval, wildcards)
Permissions-Policy: Controls browser feature access (camera, microphone, geolocation, payment, etc.)
Cross-Origin-Opener-Policy (COOP): Isolates browsing context from cross-origin windows
Cross-Origin-Embedder-Policy (COEP): Requires cross-origin resources to opt in to embedding
Cookie Security Flags: Secure, HttpOnly, and SameSite flags on cookies

Why it matters: Security headers provide defense-in-depth protection against XSS, clickjacking, MITM attacks, and information leakage. Without them, your site relies on default browser behavior, which is often permissive. Learn more about security headers →

CORS & Browser Security

Cross-Origin Resource Sharing (CORS) configuration that controls how your site interacts with other origins.

Wildcard origin with credentials: Detects dangerous CORS configuration (ACAO=* with ACAC=true)
Reflective Access-Control-Allow-Origin: Flags when ACAO reflects the request Origin (vulnerable to credential theft)

Why it matters: Misconfigured CORS can allow unauthorized sites to access your resources with user credentials, leading to data theft and account compromise.

Transport & Methods

HTTP methods and transport security that could expose your site to unauthorized access or modification.

Dangerous HTTP methods: Checks for enabled PUT, DELETE, PATCH methods
TRACE/TRACK: Detects enabled TRACE and TRACK methods (information disclosure risks)
WebDAV indicators: Identifies WebDAV via Allow/DAV headers

Why it matters: Unnecessary HTTP methods can allow attackers to modify or delete resources, or expose sensitive information.

Information Disclosure

Files and paths that reveal sensitive information about your site's structure or configuration.

robots.txt sensitive paths: Flags robots.txt entries that reveal sensitive paths (e.g., /admin/, /backup/, /private/)
security.txt: Checks for presence and validity of /.well-known/security.txt (Contact/Expires/Policy)

Why it matters: Information disclosure helps attackers understand your site structure and identify potential attack targets.

Sensitive File Exposure

Common sensitive files and directories that should not be publicly accessible.

Version Control: /.git/, /.git/HEAD, /.git/config (exposed Git repositories), /.svn/ (Subversion), /.hg/ (Mercurial), /.bzr/ (Bazaar)
Environment Files: /.env, /.env.old, /.env.orig, /.env.backup (configuration files with secrets)
Package Files: /composer.json, /package.json (dependency information)
Server Configuration: /WEB-INF/web.xml (Java configuration), /phpinfo.php (PHP info), /server-status, /server-info, /nginx_status

Why it matters: Exposed sensitive files can reveal source code, credentials, configuration details, and server information that attackers can use to compromise your site.

Directory Listing

Directory indexing that exposes file structure and potentially sensitive files.

Common directories: Checks for enabled directory listing on /backup/, /logs/, /uploads/, and other common paths

Why it matters: Directory listing exposes your file structure, making it easier for attackers to find sensitive files and understand your site's organization.

Content Integrity (SRI)

Subresource Integrity verification for external scripts and stylesheets.

External scripts without SRI: Flags external <script> tags missing integrity attributes
External stylesheets without SRI: Flags external <link> stylesheets missing integrity attributes

Why it matters: Without SRI, compromised CDNs or man-in-the-middle attacks can inject malicious code into your site via external resources.

TLS / Certificate

SSL/TLS certificate validity and expiration checks.

Certificate expiration: Warns if certificate expires within 30 days; errors if already expired
Certificate validity: Verifies certificate is valid and properly configured

Why it matters: Expired or invalid certificates break HTTPS connections, leaving your site vulnerable to man-in-the-middle attacks and causing user trust issues.

Stack Detection

Best-effort identification of server and backend technologies from response headers and cookies.

Server detection: Identifies Nginx, Apache, IIS, Caddy from headers
Backend detection: Identifies PHP, Node.js/Express, Python, Java, ASP.NET, Rails from headers/cookies

Why it matters: Knowing your technology stack helps identify relevant vulnerabilities and security best practices for your specific setup.

Best Practices

Industry best practices and security standards compliance.

security.txt: Checks for presence and validity of security.txt at /.well-known/security.txt
HTTPS enforcement: Verifies HTTPS is available and preferred

Why it matters: Following security best practices and standards helps protect your site and makes it easier for security researchers to report vulnerabilities responsibly.

How CodeFrog Performs Checks

All security checks are performed using safe, read-only HTTP methods:

HEAD requests: Primary method for checking headers and response codes without downloading content
GET requests: Fallback when HEAD is not supported, or when content analysis is needed
OPTIONS requests: Used for CORS and HTTP method discovery

CodeFrog respects rate limits, timeouts, and redirect policies. All checks are non-invasive and designed to identify security issues without attempting to exploit them.

False Positive Warning: If your site uses a catch-all route or custom 404 handler that returns HTTP 200 instead of 404, the scanner may incorrectly flag sensitive files (like .git, .env, etc.) as exposed even when they are not actually accessible. Please manually verify any flagged sensitive file findings.

Severity Levels

Findings are categorized by severity to help prioritize remediation:

Critical: Immediate action required, potential for data breach or system compromise
High: Significant security risk, should be addressed soon
Medium: Moderate risk, should be planned for remediation
Low: Minor risk, consider fixing in next update
Info: Informational findings, not necessarily vulnerabilities

Related Resources

Security Headers: Why They Matter - Detailed guide to security headers
Security Testing Guide - Comprehensive security scanning documentation
OWASP Coverage - How CodeFrog maps to OWASP Top 10
Features - Overview of all CodeFrog capabilities