Skip to content

Documentation

Everything you need to secure your AI-built projects

Scanner Reference

Features

Scanner Reference

BoringSec publishes 20 base URL modules plus 3 verified-owner background engines. The 20 applicable base modules produce the base report; Nuclei, ZAP, and Medusa are separate background engines with a stricter authorization boundary. Findings use five severities — CRITICAL, HIGH, MEDIUM, LOW, INFO — and evidence-gated critical or high findings are downgraded when the required proof is missing.

Legal and authentication coverage boundary

Coverage is explicit by surface. Conditional or not-assessed work is never converted into a pass, and framework mapping is not presented as certification. Per-scan evidence uses distinct found, missing, not_observed, not_applicable, unavailable, and needs_auth states.

CapabilityStateEvidence surfaceLimit
Privacy, consent, and data rights signalsimplementedInitial URL response plus bounded same-origin privacy-policy fetches. Consent controls, first-response cookies, trackers, controller/DPO language, legal basis, recipients, retention, deletion/export rights, complaints, transfers, and safeguards are recorded with matched evidence.JavaScript-rendered controls and later browser interactions are not executed in this pass; missing evidence is partial or not observed, not proof of non-compliance.
Terms, WCAG basics, and public noticesimplementedInitial HTML plus a bounded same-origin fetch of an explicitly linked terms page. Terms availability, licensing/IP language, document language, page title, image alt attributes, main landmark, form-control names, button names, copyright notice, and licensing/attribution links are recorded independently.This is not a full WCAG audit, legal opinion, intellectual-property clearance, or proof that a document is enforceable in every jurisdiction.
Public authentication signalsimplementedPublic response headers, cookies, shipped JavaScript, login links, entry-page forms, and at most one bounded same-origin login-page fetch. Session-cookie flags, client-side token storage signals, exposed auth artifacts, CORS, login-surface applicability, and static anti-CSRF token signals are assessed when observable.MFA, enumeration, IDOR, server-side CSRF enforcement, and JWT claim/lifetime checks remain not assessed by a public scan. A public scan does not log in, create accounts, submit state-changing forms, modify tokens, or replay object identifiers.
Authenticated application surfaceconditionalVerified-owner domains with an explicitly configured, expiring credential profile. The credential is attached only inside the isolated ZAP deep-scan boundary and is scoped to the verified hostname/origin. The test path validates access and the form-login path establishes a bounded session; neither is a ZAP path allowlist, so ZAP may spider other same-host paths. The public report exposes authentication status, never credential names or values.The current single-credential ZAP flow has no scenario DSL or second identity and does not support MFA, enumeration, IDOR/tenant-isolation, or transaction-authorization verification; those controls remain not assessed and require dedicated authorized testing or manual review. CSRF or JWT findings may surface opportunistically, but their absence is not a pass.
Repository auth and authorization patternsconditionalUser-authorized repository or archive scan. Selected OAuth linking, token storage, cookie configuration, JWT verification, middleware coverage, secret, dependency, and webhook patterns are checked against the submitted source.Source patterns are evidence leads, not runtime proof. Business-object ownership and role policy still require dedicated authorized tests or manual review.
Formal legal or accessibility certificationnot assessedOutside automated product scope. BoringSec links each automated observation to its evidence and applicable reference.The report is not legal advice, a penetration-test attestation, or certification of GDPR, CCPA, WCAG, SOC 2, ISO 27001, or licensing compliance.

Security Headers

Applicable base module

Grades 10 modern security headers and flags 4 version-disclosure headers (15 checks).

  • Content-Security-Policy analyzed per directive: unsafe-inline without nonce/hash, unsafe-eval, wildcard / data: / http: script sources, missing base-uri, frame-ancestors, object-src
  • Strict-Transport-Security graduated by max-age; includeSubDomains and preload eligibility checked
  • X-Frame-Options (auto-satisfied by CSP frame-ancestors), X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, deprecated X-XSS-Protection
  • Version disclosure: Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version
  • Fixes are copy-paste header snippets. References: MDN, csp-evaluator.withgoogle.com, hstspreload.org

SSL/TLS

Applicable base module

Real handshake plus active cipher probing (~13 checks), aligned with Mozilla Server-Side TLS.

  • Certificate validity, trust chain, hostname/SAN match, key strength, signature algorithm (SHA-1/MD5 flagged)
  • Graduated expiry alerts: critical expired, high under 30 days, medium under 60
  • Certificate Transparency, TLS 1.3/1.2 availability, TLS 1.0 enabled (critical), TLS 1.1 enabled (high)
  • Weak cipher suites via active probing: RC4, 3DES, CBC-era, export, NULL
  • HTTP to HTTPS redirect

DNS & Email Authentication

Applicable base module

11 record families, RFC-based, raw records captured as evidence.

  • SPF, DMARC (including malformed and partial-enforcement policies), DKIM (including revoked keys)
  • CAA (including issuance-blocking records), MTA-STS, SMTP TLS-RPT, BIMI, DANE/TLSA
  • MX posture, DNSSEC (including broken chains), nameserver configuration

Exposure

Applicable base module

34 sensitive-path probes plus directory listing and robots.txt hygiene (36 checks).

  • Source & secrets: .git/config, .git/HEAD, .env, .env.local, .env.production — all critical
  • Config files, database dumps and backups (backup.sql, dump.sql, backup.zip — critical)
  • Info disclosure (phpinfo.php, server-status), logs, admin panels, API schemas, source maps, IDE files
  • Every hit verified against content signatures so SPA app-shells do not create false positives

Cookies

Applicable base module

5 checks per cookie. Cookie values are never stored — only attribute observations.

  • Secure flag (high over HTTPS), HttpOnly on session-like cookies (high)
  • SameSite including the None-without-Secure trap
  • __Host- / __Secure- prefix compliance, overly broad Domain scope on session cookies

CORS

Applicable base module

Active cross-origin testing (~9 outcomes) with request/response evidence.

  • Wildcard-with-credentials, origin reflection with credentials (high)
  • Wildcard on any origin, null origin trusted
  • Dangerous methods exposed, sensitive response headers exposed, confirmed-healthy states

Platform Detection

Applicable base module

Fingerprints the hosting / AI-generation platform. Informational; used to tailor fixes.

  • Lovable, Bolt.new, v0, Replit, Cursor, Windsurf, Vercel, Netlify, Supabase, Firebase signatures

Technology & Live CVEs

Extended base module

Stack fingerprinting enriched in real time from the OSV.dev vulnerability feed.

  • Live CVE enrichment across npm, PyPI and Packagist ecosystems, CVSS vectors parsed into severities
  • Outdated component detection, server version disclosure

Injection

Extended base module

SQL and command injection with proof-or-downgrade discipline.

  • Error-based SQLi requires an unambiguous DBMS error introduced by the probe
  • Boolean-blind SQLi requires a reproducible true/false differential against baseline
  • Command injection requires high-signal output; anything less is reported as inconclusive

XSS

Extended base module

Reflected and DOM-based cross-site scripting detection.

  • Reflected XSS per parameter with context-aware reflection analysis
  • DOM-based XSS patterns flagged for manual review
  • Dynamic code execution (eval / Function) reported informationally

Subdomains

Extended base module

Enumeration plus takeover-risk analysis.

  • Dangling-CNAME takeover fingerprints of known cloud services
  • Unverified candidates flagged separately (evidence-first)
  • Sensitive-looking subdomains, subdomains served without HTTPS

WAF

Extended base module

Detects 16 WAF vendors and probes coverage.

  • Cloudflare, AWS WAF, Akamai, Imperva, Sucuri, ModSecurity, F5, Barracuda, Wordfence, DDoS-Guard, FortiWeb, Reblaze, StackPath, Radware, Palo Alto, Wallarm
  • Missing WAF, incomplete coverage, possible-bypass indicators

Ports

Extended base module

TCP-connect checks for risky services with connect evidence recorded.

  • Publicly reachable databases (critical), high-risk service ports (high), Telnet (critical)

GDPR / ePrivacy

Extended base module

Evidence-bounded privacy, consent, public legal-surface, and WCAG-basic signals (informational for the Security Score).

  • Consent controls, first-response cookies, tracker disclosure, transfer destinations and documented safeguards
  • Privacy-policy controller/DPO, legal basis, recipients, retention, deletion/export rights and complaint path
  • Bounded same-origin Terms availability plus initial-HTML language, title, image-alt, landmark, form-label and button-name checks
  • Entry-page and one bounded same-origin login-page fetch for static CSRF signals; the current single-credential ZAP flow has no scenario DSL or second identity, so MFA, enumeration, IDOR/tenant isolation and transaction authorization remain not assessed
  • Copyright and licensing/attribution links are recorded as observations, never as proof of infringement or legal compliance

Bundle Secrets

Extended base module

Shipped-JavaScript scanning with 21 secret detectors. Heaviest Boring Score category.

  • Supabase anon/service_role keys and URL, Firebase API key/config, Stripe secret/publishable
  • OpenAI (2 formats), Anthropic, AWS access key ID/secret, GitHub, Slack, Google OAuth client secret
  • SendGrid, HuggingFace, Twilio, Mailgun, private keys, generic API keys

Supabase

Extended base module

Live backend exposure checks — actual REST requests, not guesses.

  • service_role key exposed in frontend (critical), anon key usage
  • Tables readable without auth (live RLS verification), storage bucket exposure
  • Honest inconclusive states when verification is not possible

Firebase

Extended base module

Realtime Database, Firestore and Storage rules actually tested.

  • Config exposure, RTDB/Firestore/Storage read access tested live, Firebase Auth posture

Reputation

Extended base module

Google Safe Browsing + DNS blocklists. A listed domain caps the Security Score at 20.

  • Google Safe Browsing, Spamhaus DBL, SURBL

Client-Side Threats

Extended base module

11 heuristics plus Subresource Integrity and mixed-content checks.

  • Magecart-class skimmer patterns, crypto-miner signatures (including WASM workers)
  • Malicious redirect patterns, obfuscation markers (eval+atob chains, hex-array unpackers)
  • Cross-origin scripts/styles without SRI, active and passive mixed content, hidden off-site iframes

VirusTotal

Extended base module

Multi-vendor URL/domain verdicts with single-vendor noise filtering.

  • Tiered score caps for multi-vendor malicious verdicts, community-reputation signals

Nuclei

Verified-owner background engine

Eligible verified-owner background engine, wrapped as a hardened ProjectDiscovery subprocess.

  • Curated templates, severity-filtered (critical/high/medium)
  • DoS, bruteforce, intrusive and fuzz tags excluded; local-network access restricted; rate-limited

OWASP ZAP

Verified-owner background engine

Eligible verified-owner background engine for passive baseline analysis and configured API scanning.

  • Safe-mode default; active scanning gated behind explicit acknowledgement

Medusa

Verified-owner background engine

Eligible verified-owner background engine that checks the code a site actually ships.

  • Collects external and inline scripts, source maps and config artifacts under strict budgets
  • Scans them as code; normalized findings with rule IDs, file/line references and recommendations

GitHub Repository Scanner

Repository module

50+ SAST-style rules for connected repositories.

  • Committed secret files (.env*, private keys, cloud credentials) and hardcoded secrets in code
  • 27 dependency rules with pinned CVEs (lodash, jsonwebtoken, axios, next, django, pyyaml and more)
  • Framework patterns: unsafe JWT handling, dangerouslySetInnerHTML, server env in client code, Stripe webhooks without signature verification, SSRF-prone fetches, raw SQL interpolation, unguarded mutation routes
  • Docker hardening (4 rules), GitHub Actions hardening (4 rules), repo hygiene

Orchestration & safety

  • Applicable base and extended-base modules run concurrently and publish the base report when their required work is terminal.
  • Public and anonymous scans run base modules only. Nuclei, ZAP, and Medusa require a signed-in, non-anonymous scan of a domain owned by that user or team and marked VERIFIED.
  • Without that authorization, a requested background engine is authorization_required; a module that was not requested is not_requested. Neither state is presented as queued or running.
  • On eligible scans, Nuclei, ZAP, and Medusa run independently in the background, do not block the base report, and update it when each result is ready.
  • Per-scanner timeouts and a per-category circuit breaker (3 failures, 5-minute cooldown) keep scans predictable.
  • All scanning is bounded and non-destructive: no exploit payloads, no DoS-class tests, SSRF-defended fetches, rate limits throughout.