Tool

Domain Security Toolkit

Overview

Automated domain security auditing for 35+ checks across TLS, email authentication, HTTP headers, DNSSEC, and OSINT exposure.

Domain Security Toolkit is an open-source Python tool that audits any domain against a comprehensive set of security controls in one pass. It generates customer-ready reports with remediation guidance aligned to NIST, OWASP, NCSC, CISA, and GDPR — the kind of thing that normally takes a consultant a day to assemble manually.

Why this exists: Domain security spans email authentication, DNS security, certificates, HTTP headers, and OSINT. Most tools cover one slice. This one runs everything in a single pass and produces reports you can hand to a customer.

Installation

pip install git+https://github.com/wblv-dev/domain-security-toolkit

Python 3.10+ required.

Quick Start

# Single domain audit
domain-audit --domains example.com

# Multiple domains
domain-audit --domains example.com example.org

# From a file
domain-audit --domains-file domains.txt

Output lands in the current directory as:

AUDIT_REPORT.html — interactive dashboard with all findings
AUDIT_REPORT.md — markdown report, git-friendly
AUDIT_REPORT.csv — compliance summary, one row per domain
audit_history.db — SQLite database with historical data

Email Security

SPF — validates DNS TXT records for authorised senders
DMARC — policy and reporting configuration
DKIM — detects keys across common selectors (default, google, selector1/2, protonmail, etc.)
MX Records — mail server config including null MX (RFC 7505) detection
MTA-STS — forces TLS encryption for inbound email
TLSRPT — monitors TLS negotiation failures
BIMI — brand logo indicators for supporting clients

DNS & Certificate Security

DNSSEC — DNSKEY and DS record validation
CAA — certificate authority authorisation records
Dangling CNAMEs — subdomain takeover risk detection
Certificate Transparency — crt.sh monitoring for SSL certificate issuance
Domain Expiry (RDAP) — registration status and expiry dates
Transfer Lock — domain lock status validation
Reverse DNS — FCrDNS (Forward-Confirmed reverse DNS) validation

Web Security

HTTP Security Headers — X-Frame-Options, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS
security.txt — vulnerability disclosure policy at /.well-known/security.txt
Technology Fingerprint — identifies web technologies and frameworks

OSINT & Threat Intelligence

Shodan Internet DB — open ports and exposed services
Mozilla Observatory — website security header scoring
DNSBL — checks against multiple spam blacklist databases
Optional integrations — VirusTotal, AlienVault OTX, AbuseIPDB (API keys supported)

Cloudflare Integration

Optional integration pulls zone settings directly via the Cloudflare API:

SSL/TLS	Mode validation and minimum TLS version checks
HTTPS	Automatic HTTPS rewrites, HSTS, HSTS preload
Security	Security level, WAF rules, Bot Management
Privacy	Email obfuscation and hotlink protection

export CF_API_TOKEN="your_cloudflare_token"
domain-audit --domains example.com --cloudflare-token $CF_API_TOKEN

Reporting & Output

The toolkit maintains a persistent SQLite database across audit runs, enabling historical comparisons and change tracking. The diff functionality highlights what's changed between runs — useful for tracking remediation progress or catching config drift.

# Interactive dashboard of historical audits
domain-dashboard                      # port 8001 default
domain-dashboard --port 9000

Each finding includes remediation guidance with references to the relevant standard (NIST SP 800-52, OWASP, NCSC, CISA, PCI DSS, GDPR, or RFC).

Advanced Usage

--output-dir	Custom output directory for reports
--format	Select output formats: html, md, csv (default: all three)
--verbose	Debug logging
--log-file	Write detailed logs to file
--no-diff	Skip comparison with previous run
--concurrency	Parallel domain count (default: 20)

Exit Codes

0 — all checks passed or warned (no failures)
1 — configuration or runtime error
2 — at least one check graded as FAIL
130 — interrupted by user (Ctrl+C)

Suitable for CI/CD integration where you want to fail the pipeline on security regressions.

Architecture

Built on Python's asyncio with aiohttp for concurrent HTTP requests and dnspython for DNS queries. Each check module is independent and returns a standardised result structure, making it straightforward to add new checks. Rate limiting via asyncio semaphores prevents overwhelming target infrastructure or API endpoints.

Standards & Compliance

Remediation guidance embedded in the toolkit references:

NIST — SP 800-52 Rev. 2, SP 800-63
OWASP — Top 10, secure coding guidelines
NCSC — UK National Cyber Security Centre
CISA — US Cybersecurity & Infrastructure Security Agency
PCI DSS — Payment Card Industry Data Security Standard
GDPR — General Data Protection Regulation
RFC standards — SPF, DMARC, DKIM, DNSSEC, etc.

↗ View on GitHub