SAB Security
DEENTRFR

Sample Report — Website Security Deep Review (€499)

This is what a real security review looks like.

The report is written for owners, directors, and decision-makers — not just for technical teams. Clear, honest, with realistic risks and practical actions. No fear-based selling. Here's an excerpt from a real report.

1. Executive Summary

Example Company Ltd — example-company.com

Reviewed on 14 May 2026 · Written authorisation · Passive external analysis · Auditor: SAB Security, Karlsruhe

7
areas reviewed
2
action required (Medium)
4
recommendations (Low)
5
confirmed secure

Overall impression: The website is fundamentally well set up. HTTPS, HSTS, and the most important security headers are correctly configured. No open admin panels, no database backups, and no sensitive configuration files were found. The most important action item is in the email area: DKIM is missing, and DMARC is set to monitoring only. Without DKIM, forged emails can be sent in the domain's name — a relevant risk for customer trust and fake invoices.

Conclusion: No critical security gaps. Two medium-severity items with real business risk (missing DKIM, GDPR process gap in the contact form). All technical recommendations can be implemented with minimal effort. A short retest after remediation is included in the Deep Review package.

2. Scope & Authorisation

What was reviewed

  • DNS: A, AAAA, MX, TXT, SPF, DKIM, DMARC
  • HTTP→HTTPS redirect and www/non-www behaviour
  • TLS certificate and encryption
  • Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
  • Publicly accessible files (.env, .git, backups, robots.txt, sitemap.xml, security.txt)
  • CMS / admin panel discovery
  • Contact form: validation, consent, honeypot, basic XSS, rate limiting

What was deliberately not reviewed

  • No brute-force attacks
  • No denial-of-service tests
  • No social engineering
  • No destructive testing
  • No access to protected systems or data
  • No credential sharing

This review was conducted with the client's written authorisation. All tests were passive, non-destructive, and limited to publicly available information.

3. Methodology

The review follows a standardised, reproducible process — comparable to an attacker's first look at the public website, but controlled, documented, and without harmful actions.

All tests are conducted from Karlsruhe, Germany. Each check step is logged with date, time, and result. Tools used: DNS queries (dig), HTTP header analysis (curl), TLS verification (openssl), and manual review of identified entries.

The report uses a realistic, business-oriented rating:

Medium — Real business risk (misuse, compliance, customer trust)
Low — Hardening, additional safeguards, minor improvements
Info — Observation, no immediate action required

Findings that are only theoretical or have no demonstrable business impact are not included. No "critical" without a proven exploit path.

4. Detailed Findings

DKIM missing — email spoofing possible

Medium

Result: No DKIM records were found for the domain. Checked selectors: default, google, selector1, selector2, mail, k1, cloudflare, cf.

selector1._domainkey.example-company.com TXT:
No record found.
Business Impact
Without DKIM, there is no cryptographic proof that emails from @example-company.com actually came from you. An attacker can forge emails with your sender address — for instance, a fake invoice to your customers or a manipulated payment request. DKIM is the third pillar of email authentication alongside SPF and DMARC. This gap is particularly relevant for a business that sends invoices or confidential information by email.

Recommendation: Configure DKIM signing with your email provider (Google Workspace, Microsoft 365, Cloudflare Email Routing, etc.). The provider supplies the public key to publish as a DNS TXT record. Effort: about 15 minutes. Afterwards, raise SPF to -all and DMARC to p=quarantine.

DMARC set to p=none — no enforcement

Low

Result: DMARC is present but set to p=none (monitoring only).

_dmarc.example-company.com TXT:
"v=DMARC1; p=none; rua=mailto:[email protected]"
Business Impact
p=none means unauthenticated emails are reported but not rejected or sent to spam. Forged emails still reach recipients. Monitoring is a good first step, but should be raised to p=quarantine after evaluating the reports.

Recommendation: After configuring DKIM, evaluate DMARC reports for 2–4 weeks. If no legitimate emails fail, raise to p=quarantine (pct=25 for 2 weeks, then pct=100).

Privacy consent not enforced server-side on contact form

Medium

Result: The contact form only checks the privacy consent checkbox in the browser (client-side). A direct POST request without privacy_consent is accepted by the server.

POST /scan/contact with privacy_consent:false →
{"ok":true} — request was stored without consent.
Business Impact
Under GDPR, processing of personal data must be based on documented consent. If consent is only checked client-side, data can be stored without approval — a process gap with potential compliance risk. Practical risk: low (contact enquiries only). Legal risk: present.

Recommendation: Add a server-side check: reject requests where privacy_consent !== true with HTTP 400. Effort: about 5 minutes.

CSP allows 'unsafe-inline' and 'unsafe-eval'

Low

Result: The Content Security Policy includes 'unsafe-inline' and 'unsafe-eval' in script-src.

Business Impact
These entries weaken the CSP's XSS protection. In the current setup, however, they are necessary because the website uses legitimate inline scripts. The risk is low because the site is static and does not dynamically render user input.

Recommendation: Medium-term: migrate inline scripts to external .js files (with nonce or hash). As long as the site renders no dynamic user content, the current setup is acceptable.

PGP key referenced in security.txt not reachable

Low

Result: The security.txt references a PGP key at /.well-known/pgp-key.txt, which returns HTTP 403 (Forbidden).

Business Impact
Security researchers who want to report a vulnerability confidentially cannot encrypt their message. Low practical risk, but a missed opportunity for trustworthy communication.

Recommendation: Either serve the PGP key (adjust nginx rule) or remove the reference from security.txt. Effort: 2 minutes.

5. Confirmed Security Measures

Check AreaResult
HTTPS & TLSTLS 1.3, valid Let's Encrypt certificateSecure
HTTP→HTTPS Redirect301 redirect working correctlySecure
HSTS (HTTP Strict Transport Security)max-age=31536000; includeSubDomains; preloadSecure
X-Frame-Options / X-Content-Type-OptionsSAMEORIGIN / nosniff — correctly setSecure
Referrer-Policy / Permissions-PolicyRestrictive and sensibly configuredSecure
Sensitive files.env, .git/* blocked with 403Secure
No admin panelsNo /wp-admin, no /admin, no CMS backend exposedSecure
robots.txt / sitemap.xml / security.txtAll three present and correctPresent

6. Retest (included in the Deep Review package)

The Website Security Deep Review (€499) includes exactly one short retest after you have implemented the recommended measures.

FindingStatus
DKIM missingOpen
DMARC p=noneOpen
Privacy consent server-sideOpen
CSP unsafe-inlineAccepted Risk
PGP key not reachableOpen

Fixed — set to this status after successful retest.
Accepted Risk — deliberately not addressed, documented.
Open — not yet handled.

7. Recommended Next Steps

PriorityActionEffort
1Set up DKIM with your email provider~15 min.
2Add server-side privacy consent check~5 min.
3Raise DMARC to p=quarantine after DKIM~5 min.
4Serve PGP key or remove reference~2 min.
5Migrate inline scripts to external files (long-term)~1 hr.
This is an excerpt from a real Deep Review report. Each report is individually tailored to your domain and situation — with concrete, actionable recommendations. No generic scanner output.

Request Website Security Deep Review — €499    → View pricing