Professional-grade passive reconnaissance tool for domain security analysis.
Analyze domain security with comprehensive passive reconnaissance. Check HTTP headers, SSL/TLS certificates, DNS security records (SPF, DMARC, MX), performance metrics, and vulnerability indicators — all through 100% legal, non-intrusive scanning.
🌐 Live Demo: https://web.test.hushstackcambodia.site/
- HTTP Security Headers — Analyze HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- SSL/TLS Analysis — Certificate validity, expiry dates, cipher suites, TLS version detection
- DNS Security Records — SPF, DMARC, MX, TXT, NS, and A record validation
- Information Disclosure — Detect exposed server versions, stack traces, sensitive comments
- XSS Vulnerability Detection — DOM-based cross-site scripting simulation
| Mode | Description |
|---|---|
| Security | Core HTTP headers & SSL certificate analysis |
| Performance | Response time, TTFB, compression, caching headers |
| Pentest | Port scanning, technology fingerprinting, subdomain enumeration |
| Audit | Deep security audit with vulnerability scoring |
Full multi-language support powered by next-intl:
- 🇺🇸 English (EN)
- 🇰🇭 Khmer (KM)
- 🇮🇩 Bahasa Indonesia (ID)
- 🇲🇾 Malay (MS)
- 🇯🇵 Japanese (JA)
- 🇨🇳 Chinese (ZH)
- Framer Motion animations for smooth transitions
- Tailwind CSS v4 for responsive, utility-first styling
- Interactive Onboarding guide for first-time users
- Real-time Scan Progress with visual feedback
- PDF Report Generation via html2canvas + jsPDF
- Rate Limiting — IP-based request throttling (10 req/min)
- Input Validation — Domain format validation with Zod schemas
- Security Event Logging — Pino-based audit trail
- Security Headers — HSTS, CSP, X-Frame-Options, Permissions-Policy
- Email Validation — Disposable domain blocking, regex validation
- Nodemailer Integration — SMTP email delivery
- Dual Email Flow — Admin notification + user confirmation
- Star Rating System — 1-5 scale feedback collection
- Anti-Spam Protection — Suspicious pattern detection
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router) |
| Runtime | React 19 + React Server Components |
| Language | TypeScript 5 (strict mode) |
| Styling | Tailwind CSS 4 + CSS Variables |
| Animation | Motion (Framer Motion) |
| State | React Hooks + Server Actions |
| Validation | Zod |
| Logging | Pino + Pino-Pretty |
| Nodemailer | |
| html2canvas + jsPDF |
security-posture-apps/
├── app/ # Next.js App Router
│ ├── api/ # API Routes
│ │ ├── scan/route.ts # Main scan endpoint
│ │ ├── feedback/route.ts # Feedback email handler
│ │ └── logs/route.ts # Security logging
│ ├── components/ # Page-specific components
│ │ ├── SearchForm.tsx # Domain input form
│ │ └── OnboardingGuide.tsx # Interactive tutorial
│ ├── scan/ # Scan results pages
│ ├── results/ # Result display routes
│ ├── page.tsx # Home page
│ ├── layout.tsx # Root layout
│ └── globals.css # Global styles + CSS variables
├── components/ # Shared components
│ ├── layout/ # Layout wrappers
│ ├── scan/ # Scan-related UI
│ │ ├── HeroSection.tsx
│ │ ├── FeaturesGrid.tsx
│ │ └── ScanLoading.tsx
│ └── ui/ # Base UI primitives
├── lib/ # Core business logic
│ ├── scanners/ # Scanner modules
│ │ ├── index.ts # Orchestrator (runAllScans)
│ │ ├── security.ts # Headers, DNS, SSL checks
│ │ ├── performance.ts # Performance metrics
│ │ ├── pentest.ts # Port & tech scanning
│ │ ├── securityAudit.ts # Deep vulnerability audit
│ │ └── types.ts # Shared TypeScript types
│ ├── security/ # Security utilities
│ │ ├── validation.ts # Domain validation
│ │ └── logger.ts # Security event logging
│ ├── logger.ts # Application logging
│ └── utils/ # Helper functions
├── i18n/ # Internationalization
│ ├── config.ts # Locale definitions
│ └── request.ts # next-intl request handler
├── messages/ # Translation files
│ ├── en.json, km.json, ... # 6 language packs
├── types/ # Global TypeScript types
├── public/ # Static assets
│ └── fonts/ # Custom Khmer font
└── logs/ # Application logs
- Node.js 20+
- pnpm (recommended) or npm
# Clone the repository
git clone <repository-url>
cd security-posture-apps
# Install dependencies
pnpm install
# Configure environment
cp .env.local.example .env.local
# Edit .env.local with your SMTP credentials
# Start development server
pnpm devOpen http://localhost:3000 in your browser.
# Email Configuration
MAIL_HOST=smtp.gmail.com
MAIL_PORT=587
MAIL_USERNAME=your-email@gmail.com
MAIL_PASSWORD=your-app-password
MAIL_FROM_ADDRESS=noreply@yourdomain.com
MAIL_FROM_NAME="Security Posture Analyzer"
ADMIN_EMAIL=admin@yourdomain.com
# Security Logging
ENABLE_SECURITY_LOGGING=true// lib/scanners/index.ts
export async function runAllScans(domain: string): Promise<ComprehensiveScanResult> {
// 1. Base checks (parallel)
const [headers, dns, ssl] = await Promise.allSettled([
checkHeaders(domain),
checkDNS(domain),
checkSSL(domain),
]);
// 2. Specialized scans (parallel)
const [performance, pentest, audit] = await Promise.allSettled([
checkPerformance(domain),
runPentestScan(domain, headers, ssl),
runSecurityAudit(`https://${domain}`),
]);
// 3. Weighted scoring algorithm
const overallScore = Math.round(
(securityScore * 0.35) +
(performanceScore * 0.25) +
(pentestScore * 0.20) +
(auditScore * 0.20)
);
return { grade, score: overallScore, findings, ... };
}| Component | Weight | Description |
|---|---|---|
| Security Headers & SSL | 35% | Core security posture |
| Performance Metrics | 25% | Speed & optimization |
| Pentest Findings | 20% | Exposed ports & tech stack |
| Deep Audit | 20% | Vulnerability analysis |
- TypeScript Strict: Full type safety with
strict: true - ESLint 9: Modern flat config with
eslint-config-next - Function Components: React 19 with Server Components by default
- CSS Variables: Theme tokens for dark/light support
- Named Exports: Consistent component exports
- JSDoc Comments: Scanner modules documented
// Type-first development
interface ScanResult {
mode: ScanMode;
grade: Grade;
findings: SecurityFinding[];
}
// Parallel async execution
const results = await Promise.allSettled([
scannerA(),
scannerB(),
]);
// Structured logging
logger.info('Scan completed', { domain, duration, score });pnpm dev # Development server with hot reload
pnpm build # Production build
pnpm start # Production server
pnpm lint # ESLint code checking- ✅ HTTP response headers
- ✅ DNS TXT/SPF/DMARC/MX records
- ✅ SSL certificate metadata
- ✅ Publicly exposed ports (banner grabbing)
- ✅ Technology stack fingerprinting
- ❌ No SQL injection attempts
- ❌ No active XSS payloads
- ❌ No brute-force attacks
- ❌ No file/directory enumeration beyond common paths
- ❌ No authentication bypass attempts
This tool performs passive reconnaissance only — all data is collected from publicly available sources without sending malicious payloads or attempting unauthorized access.
- SECURITY_AUDIT.md — Security audit procedures & OWASP Top 10 status
- SECURITY_FIXES.md — Implemented security hardening measures
- AI_SETUP.md — AI provider configuration (if applicable)
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
Private — Unauthorized use, reproduction, or distribution is prohibited.
Built with Next.js, React, and TypeScript