# web-security-baseline-audit

A small CLI for checking the first layer of public website trust signals: fetchability, indexability, canonical metadata, sitemap discovery, responsible-disclosure routing, and common browser security headers.

Mirogate uses this as a repeatable baseline check for public company, product, and open-source pages.

## What It Checks

- Final URL resolves over HTTPS.
- Main page returns a successful response.
- Production page is not marked `noindex`.
- Canonical link, title, and meta description are present.
- `robots.txt`, `sitemap.xml`, and `.well-known/security.txt` are available.
- Common browser security headers are present: HSTS, CSP, `X-Content-Type-Options`, `Referrer-Policy`, and `Permissions-Policy`.

## Quick Start

```bash
npm install
npm test
npm run audit -- https://mirogate.com
```

JSON output:

```bash
node ./bin/audit.mjs --json https://mirogate.com
```

## Why This Exists

Search and AI crawlers do not judge a company only by homepage copy. They also see whether the public site is technically coherent: stable URLs, crawlable pages, clear metadata, responsible-disclosure contact, and browser security posture.

This tool makes those basics visible in one report.

## Limits

This is not a vulnerability scanner, penetration test, or legal compliance tool. It checks public baseline signals only. Use it before deeper security review, not instead of one.

## Security

Please report security issues to `security@mirogate.com`. See `SECURITY.md`.