New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

website-security-scanner

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

website-security-scanner

Lightweight website security scanner (headers, TLS, ports, basic vulns)

latest
Source
npmnpm
Version
1.0.2
Version published
Maintainers
1
Created
Source

website-security-scanner

Fast, lightweight website security scanner for Node.js (headers, TLS, ports, basic vulns) with optional OWASP ZAP integration.

Quick start

npm install -g website-security-scanner
website-security-scanner https://example.com --json

Programmatic:

const { runScan, loadConfig } = require('website-security-scanner');

(async () => {
  const config = loadConfig();
  const results = await runScan({ targetUrl: 'https://example.com', useZap: false, config });
  console.log(JSON.stringify(results, null, 2));
})();

Features

  • Security headers and cookie flags (CSP, XFO, XCTO, Referrer-Policy, Permissions-Policy; Secure/HttpOnly/SameSite)
  • TLS certificate checks (validity, expiry, protocol); HTTP/2 via ALPN; HTTP/3 via Alt-Svc
  • Open ports scan (common ports) with concurrency limits
  • Basic reflected XSS and SQLi heuristics
  • DOM heuristics (inline scripts, inline event handlers, mixed content)
  • Configurable timeouts, concurrency, and severity threshold
  • Optional OWASP ZAP daemon integration

CLI usage

website-security-scanner <url> [--json] [--zap] [--config path] [--min-sev Sev]
  • --json: print JSON
  • --zap: run OWASP ZAP (requires ZAP daemon)
  • --config: path to a JSON config file
  • --min-sev: Info | Low | Medium | High | Critical (filters display)

Exit codes:

  • 0: success, no Critical findings
  • 2: at least one Critical finding
  • 1: runtime error

Examples:

website-security-scanner https://example.com
website-security-scanner https://example.com --json --min-sev Low
website-security-scanner http://example.com --config scanner.config.json

Configuration

Create scanner.config.json:

{
  "minSeverity": "Low",
  "timeouts": { "defaultMs": 8000, "tlsMs": 10000, "portProbeMs": 1500 },
  "concurrency": { "portProbes": 10 }
}

ZAP integration (optional)

Run ZAP daemon and set env vars:

zap.sh -daemon -config api.addrs.addr.name=127.0.0.1 -config api.addrs.addr.regex=false -config api.key=YOURKEY
export ZAP_HOST=127.0.0.1 ZAP_PORT=8090 ZAP_API_KEY=YOURKEY
website-security-scanner https://example.com --zap --json

How it works

  • Orchestrator runs scanners in parallel with timeouts and aggregates results
  • Scanners: headers, ssl, ports, vulns (XSS/SQLi + DOM), zap (optional)
  • Reporter prints human or JSON output; exit code signals severity

License

MIT

FAQs

Package last updated on 31 Aug 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Supply Chain Attack on Axios Pulls Malicious Dependency from npm

Research

Supply Chain Attack on Axios Pulls Malicious Dependency from npm

A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHub releases.

By Socket Research Team  -  Mar 31, 2026