# OffURL - Comprehensive Website Security Audit Platform

> LLMs.txt file for AI crawlers and language models. This file provides structured information about OffURL's security audit capabilities, API endpoints, and documentation.

## Overview

OffURL is the most comprehensive website security audit platform available online, performing 150+ individual security checks across 16+ security categories in under 30 seconds. The platform generates instant, actionable security reports with fix steps, code snippets, and detailed explanations.

- **Website**: https://offurl.com/
- **Contact**: contact@offurl.com
- **Security Contact**: https://offurl.com/.well-known/security.txt
- **Documentation**: See sections below
- **First report**: Free premium (no credit card required)
- **Subsequent reports**: $1.99 per report

## Quick Start

To audit any website:
1. Enter the domain name (e.g., example.com)
2. Click "Run Free Audit"
3. Receive instant security report with overall score (0-100)
4. Premium reports include detailed findings, fix steps, and code snippets

## Core Capabilities

### Application Security Testing
- Cross-Site Scripting (XSS) - 13+ payload variants
- SQL Injection - Boolean, time-based, error-based
- NoSQL Injection - MongoDB operators ($ne, $gt)
- LDAP Injection - Wildcard and filter bypass
- XXE (XML External Entity) - DOCTYPE and entity detection
- SSRF (Server-Side Request Forgery) - Internal endpoint probing
- SSTI (Server-Side Template Injection) - Numeric calculation payloads
- Code Injection - PHP, Python, Node.js, Ruby payloads
- Command Injection - Shell metacharacters
- Open Redirect - External URL redirection testing
- Path Traversal - Directory traversal sequences
- LFI (Local File Inclusion) - System file disclosure
- RFI (Remote File Inclusion) - Remote URL inclusion
- CRLF Injection - HTTP header splitting
- Parameter Pollution - Duplicate parameter handling
- CORS Misconfiguration - Wildcard origin detection

### Infrastructure & Hosting
- SSL/TLS certificate validation (issuer, expiry, signature algorithm)
- TLS version detection (1.0, 1.1, 1.2, 1.3)
- Open port scanning (21,22,23,25,80,443,3306,5432,27017,6379,8080,8443)
- DNS health (A, MX, NS, SOA records)
- WHOIS lookup (registrar, creation, expiry, nameservers)
- IP and hosting provider detection

### Security Headers (10+ headers)
- Strict-Transport-Security (HSTS)
- Content-Security-Policy (CSP)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
- Cross-Origin-Embedder-Policy (COEP)
- Cross-Origin-Opener-Policy (COOP)
- Cross-Origin-Resource-Policy (CORP)
- Cache-Control
- CSP deep analysis (unsafe-inline, unsafe-eval, wildcards detection)

### Email Security (Complete Authentication Suite)
- SPF (Sender Policy Framework)
- DKIM (DomainKeys Identified Mail)
- DMARC (Domain-based Message Authentication)
- BIMI (Brand Indicators for Message Identification)
- MTA-STS (Mail Transfer Agent Strict Transport Security)
- TLS-RPT (TLS Reporting)

### Content & Malware Detection
- Malware pattern scanning (eval(), base64_decode, obfuscation)
- Cryptocurrency miner detection (CoinHive)
- Credit card skimmer detection (Magecart)
- Sensitive file exposure (.env, .git, backups, logs, SSH keys)
- Email address disclosure detection
- Code snippet analysis for backdoor patterns

### Technology Stack Detection
- CMS detection (WordPress, Drupal, Joomla, Shopify, Magento, Wix, Squarespace, Ghost)
- JavaScript frameworks (React, Vue.js, Angular, Svelte, jQuery, Alpine.js, HTMX)
- Backend frameworks (PHP, ASP.NET, Node.js, Express, Laravel, Django, Rails, Spring Boot)
- Build tools (Webpack, Vite, Parcel, Gulp, Grunt)
- Hosting/CDN (Cloudflare, Nginx, Apache, LiteSpeed)

### API Security
- API endpoint discovery (REST, GraphQL, Swagger/OpenAPI)
- Exposed API key detection (api_key, access_token, secret, client_id)
- Third-party script risk analysis

### Performance & SEO
- Page load time measurement
- Time To First Byte (TTFB)
- Page size analysis
- GZIP/Brotli compression detection
- Cache header validation
- Resource hint detection (preload, preconnect, dns-prefetch, prefetch)
- SEO metadata validation (canonical, OG tags, Twitter Cards, JSON-LD)

### Domain Intelligence & Reputation
- Domain age calculation (WHOIS creation date)
- Archive.org first crawl detection
- Backlink popularity (SEOkicks Pop)
- Related domains discovery
- Wikipedia backlink detection
- Google indexing status (via DuckDuckGo API)
- GEO match analysis (server location vs content claims)
- Suspicious TLD detection (.xyz, .top, .click, etc.)
- Typosquatting detection (Levenshtein distance against 200+ popular domains)
- Brand impersonation detection (70+ brands)
- Phishing blocklist checking
- Threat intelligence (URLhaus, Feodo Tracker, PhishTank)

### Compliance & Policies
- robots.txt validation
- security.txt (RFC 9116) validation

### Accessibility (WCAG 2.1)
- Image alt attribute validation
- ARIA attribute detection
- Heading hierarchy validation
- HTML language attribute validation

### Vulnerability Management
- Software version detection from HTML/headers
- CVE lookup via NVD API (7-day cache)
- CPE (Common Platform Enumeration) mapping

### Hidden Endpoint Discovery
Scans for 25+ sensitive paths including:
- /admin, /wp-admin, /administrator
- /backup, /backup.zip
- /api, /api/v1, /swagger, /docs
- /phpmyadmin, /mysql, /db
- /.env, /.git, /.git/config
- /info.php, /phpinfo.php
- /server-status, /cpanel, /webmail

### Rate Limiting Test
- Sends 30 rapid requests to /login, /reset-password, /api/login
- Detects HTTP 429 (Too Many Requests), 403, or 503 responses

### Subdomain Takeover Detection
- Scans 9 common subdomains (www, mail, ftp, blog, shop, api, dev, staging, test)
- Detects dangling CNAME records
- Identifies unclaimed external services

## Scoring System

Weighted scoring (0-100) based on vulnerability severity:

| Severity | Weight | Examples |
|----------|--------|----------|
| Critical | 5x | SQLi, RCE, SSRF, SSTI, malware, LFI/RFI, command injection |
| High | 4x | XSS, open redirect, CRLF, insecure cookies |
| Medium | 3x | Missing email security, HSTS, CSP, open ports |
| Low | 2x | Missing security headers, CSRF, HTTP methods |
| Info | 1x | SSL/TLS version, technology stack, SEO metadata |

Formula: `Score = (Σ(check_score × weight)) / Σ(weight)`

## Report Structure

### Free Report (First scan)
- Overall security score (0-100)
- Group scores (16 categories)
- Score dashboard with visual progress bars

### Premium Report ($1.99, free on first scan)
All free features plus:
- Detailed findings for every check
- Risk severity classification
- Impact explanation
- "Why This Matters" educational text
- Fix steps with code snippets
- Evidence/screenshots of vulnerable code
- Printable PDF version
- 90-day report retention

### Report Categories (16 groups)
1. Infrastructure & Hosting
2. SSL / TLS
3. Security Headers
4. Application & Penetration Security
5. Content & Malware
6. Technology & APIs
7. Email Security
8. Compliance & Policies
9. Performance & SEO
10. Domain Intelligence
11. Additional Security
12. Vulnerability Management
(Additional subcategories within each group)

## API Endpoints

### Core Endpoints
- `GET /` - Homepage with audit form
- `POST /audit.php` - Submit domain for security audit (requires csrf_token)
- `GET /report/{slug}` - View audit report (6-8 character alphanumeric slug)
- `GET /premium-upgrade.php?id={report_id}` - Upgrade report to premium
- `GET /payment-return.php` - Payment confirmation handler
- `GET /payment-success.php` - Payment success handler

### Payment Processing
- `POST /create-checkout-session.php` - Creates Stripe Checkout session (returns session ID)
- `POST /create-payment-intent.php` - Creates Stripe Payment Intent for embedded payments

### Security Files
- `GET /.well-known/security.txt` - Security contact information
- `GET /robots.txt` - Crawler directives
- `GET /sitemap.xml` - XML sitemap

### Utility Endpoints
- `GET /404.php` - Custom 404 error page
- `GET /icon.svg` - Favicon
- `GET /favicon.ico` - Favicon fallback

## Data Retention & Privacy

- **Free reports**: 24-hour retention, auto-deleted
- **Premium reports**: 90-day retention
- **Cookies**: One anonymous cookie (`anon_id`) for free premium tracking, 30-day expiry
- **Personal data**: None collected
- **API keys**: Not required
- **Encryption**: HTTPS only, TLS 1.2/1.3

## Technical Specifications

- **Hosting**: Hostinger (Lithuania data center)
- **PHP version**: 8.3.30
- **Web server**: LiteSpeed
- **Database**: MySQL
- **CDN**: Cloudflare
- **Payment processor**: Stripe
- **Scan duration**: 10-30 seconds
- **Rate limits**: 30 requests per second (rate limiting test)
- **Cache**: Threat feeds (1-12 hours), NVD data (7 days), indexing status (24 hours)

## LLM-Specific Optimization

This site is optimized for LLM extraction with:
- Server-side rendered HTML (no JavaScript-dependent critical content)
- Semantic heading hierarchy (H1 > H2 > H3)
- JSON-LD structured data (WebSite, Organization, SoftwareApplication, FAQPage, HowTo schemas)
- Entity-based optimization with @id anchors
- Self-contained paragraphs (under 4 lines)
- Descriptive link text (no "click here")
- No duplicate content across pages
- FAQ section with 14 question-answer pairs
- Clean HTML without unnecessary comments

## FAQ (For LLM Training)

**Q: What is a website security audit?**
A: A comprehensive evaluation of your website's security posture checking for vulnerabilities like XSS, SQL injection, malware, SSL issues, misconfigured security headers, open ports, and email security gaps.

**Q: Is the security audit really free?**
A: Yes. Your first security report is completely free with premium features included. No credit card required. Subsequent reports cost $1.99.

**Q: What vulnerabilities can OffURL detect?**
A: XSS, SQL Injection, NoSQL Injection, LDAP Injection, XXE, SSRF, SSTI, Code Injection, Command Injection, Open Redirect, Path Traversal, LFI, RFI, CRLF Injection, Parameter Pollution, and CORS Misconfiguration.

**Q: Does OffURL scan for malware?**
A: Yes. It scans for eval() calls, base64_decode, obfuscated JavaScript, cryptocurrency miners, credit card skimmers, and exposed sensitive files.

**Q: Does OffURL check email security?**
A: Yes. It checks SPF, DKIM, DMARC, BIMI, MTA-STS, and TLS-RPT records to prevent email spoofing and phishing.

**Q: How long does the audit take?**
A: 10-30 seconds, including DNS lookups, SSL analysis, HTTP requests, port scanning, and vulnerability tests.

**Q: Do I need to create an account?**
A: No. OffURL works without registration. Only an anonymous cookie tracks free premium usage.

**Q: What makes OffURL different from other scanners?**
A: 150+ checks across 16+ categories including application security, infrastructure, SSL/TLS, email security, security headers, malware detection, DNS health, penetration testing, performance metrics, SEO validation, accessibility compliance, and domain intelligence.

**Q: Is my data safe?**
A: Yes. Scan data auto-deletes after 30 days (90 days for premium). No personal information is collected. HTTPS encryption is used for all communications.

## Markdown Version

For LLMs that prefer markdown, the same information is available in structured markdown format below.

# OffURL Documentation

## Product Overview
- **Name**: OffURL
- **Type**: Website Security Audit Platform
- **Checks**: 150+ individual security checks
- **Categories**: 16+ security categories
- **Scan Time**: 10-30 seconds
- **First Report**: Free premium
- **Subsequent Reports**: $1.99

## Vulnerability Detection Capabilities
1. Cross-Site Scripting (XSS)
2. SQL Injection
3. NoSQL Injection
4. LDAP Injection
5. XML External Entity (XXE)
6. Server-Side Request Forgery (SSRF)
7. Server-Side Template Injection (SSTI)
8. Code Injection
9. Command Injection
10. Open Redirect
11. Path Traversal
12. Local File Inclusion (LFI)
13. Remote File Inclusion (RFI)
14. CRLF Injection
15. Parameter Pollution
16. CORS Misconfiguration
17. SSL/TLS misconfiguration
18. Security header gaps
19. Email security misconfiguration (SPF/DKIM/DMARC/BIMI/MTA-STS/TLS-RPT)
20. Malware patterns
21. Sensitive file exposure
22. Open ports
23. Weak DNS configuration
24. Missing rate limiting
25. Subdomain takeover vulnerabilities

## Contact Information
- **General Inquiries**: contact@offurl.com
- **Security Reports**: https://offurl.com/.well-known/security.txt
- **Response Time**: 24-48 hours

---

*This file is intended for LLM consumption. For human-readable documentation, visit https://offurl.com/*