A web application security audit in 2026 is no longer just “scan the production URL with a vulnerability scanner”. The attack surface has expanded in three directions at once: REST and GraphQL APIs now carry more traffic than HTML pages on most modern stacks, CI/CD pipelines are full of long-lived secrets and powerful tokens, and the JavaScript and Python dependency trees of a medium application include hundreds of transitive packages that any single maintainer can compromise. This guide gives a layered methodology that covers all four surfaces in a defensible way: transport and network, application code, supply chain, and secrets management. It is opinionated, ships with the exact tools and config snippets, and ends with a 25-point checklist you can paste into your team wiki.
Table of contents
Why a 2026 audit is different from a 2022 audit
Three shifts in the last three years have changed what “auditing a web app” means in practice. The first is the dominance of API traffic. A modern web app exposes a public REST or GraphQL surface that an SPA, a mobile app and a few third-party integrations all consume in parallel. That surface is rarely covered by the human-driven flows a classic black-box scanner walks through. A traditional scan of the marketing pages can pass clean while an unauthenticated GraphQL introspection endpoint leaks the entire schema and lets an attacker enumerate every mutation.
The second shift is the centrality of CI/CD. Every web app of any size now ships through GitHub Actions, GitLab CI, CircleCI, or a self-hosted Jenkins. Those pipelines hold deployment tokens, cloud credentials, registry passwords and database URLs. A successful audit must inspect the pipeline configuration with the same rigour as the application code, because a compromised workflow file is equivalent to a compromised production key.
The third shift is the AI integration. Most non-trivial web apps in 2026 call at least one large language model API, and many integrate retrieval-augmented generation against a vector store of customer data. Prompt injection, indirect prompt injection through scraped content, and data exfiltration through model responses are real categories now, not academic curiosities. They sit at the intersection of application logic and supply chain risk and they need to be on the audit list.
The four layers and how they map to OWASP 2025
The OWASP Top 10 update published in late 2025 reshuffled the categories to reflect this expanded surface. The four-layer model below mirrors that update and gives you a concrete order of operations for the audit.
- Transport and network. TLS configuration, HSTS, CORS posture, allow-listed origins, rate limits at the edge. Maps to A05 (Security Misconfiguration) and A07 (Identification and Authentication Failures).
- Application code. Authentication, authorisation, input validation, output encoding, server-side request forgery, business-logic flaws, GraphQL introspection, file upload handling. Maps to A01 (Broken Access Control), A03 (Injection), A04 (Insecure Design), A10 (SSRF).
- Supply chain. Direct and transitive dependencies, package registries, container base images, infrastructure-as-code modules, GitHub Actions or GitLab CI references. Maps to A06 (Vulnerable and Outdated Components) and A08 (Software and Data Integrity Failures).
- Secrets management. Tokens, API keys, database URLs, JWT signing keys, encryption keys at rest. Maps to A02 (Cryptographic Failures) and the brand-new 2025 entry on secrets exposure in pipelines.
Walking the four layers in order is intentional. Each one builds confidence on the previous: a hardened transport layer makes layer-two findings less exploitable, a clean dependency tree makes secret-scope reviews tractable, and a tight secrets baseline catches the residual risk that escapes the other three.
Layer 1: transport and network
The transport audit is the cheapest to run and the easiest to fail in production. It covers four artefacts: the TLS certificate, the HSTS configuration, the security-header baseline, and the CORS policy.
TLS configuration
You want TLS 1.3 enabled, TLS 1.0 and 1.1 explicitly disabled, an ECDSA or RSA-2048+ certificate, OCSP stapling on, and a valid certificate chain with at least 30 days remaining before expiry. A monitor that pages you at 14 days is the right escalation level. Drop the SSL Labs grade to A or A+ before declaring the layer done; an A- usually means you forgot to disable TLS 1.0 on a legacy origin server.
HSTS and security headers
The 2026 baseline for any public web app is six headers: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and X-Frame-Options (or its modern equivalent frame-ancestors in CSP). The minimum HSTS configuration is one year with subdomain coverage:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
CSP is the single highest-leverage header. A strict starting point that works for most React, Vue or Next.js applications is:
Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-...'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.your-domain.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; report-uri /csp-report;
Ship CSP in report-only mode for two weeks, collect violations, then enforce. Sites that skip the report-only phase end up with a broken production deploy at the worst possible moment.
CORS
CORS is where modern apps consistently leak. The audit pattern is: enumerate every cross-origin endpoint, then verify that Access-Control-Allow-Origin is either a specific origin or a controlled allow-list, never a wildcard combined with Access-Control-Allow-Credentials: true. The combination is a credential exfiltration vector that has been on the OWASP cheat sheet for a decade and still ships in production.
For APIs that accept tokens in the Authorization header, make sure preflight requests are explicitly handled and not relying on a permissive default in your framework. Express, Fastify, FastAPI and Django all ship sensible defaults today, but they often get overridden by a copy-pasted “allow all” middleware during the prototype phase that is never tightened before launch.
Layer 2: application code
Layer two is the largest, and the place where automated tools alone cannot give you confidence. The methodology is to split the surface into three buckets and audit each one separately: the HTML/SPA surface, the API surface, and the file-upload surface.
The HTML and SPA surface
For server-rendered pages, you are auditing for the classic injection categories: stored XSS in user-generated content, reflected XSS in search and error pages, server-side template injection in any page that interpolates user input into a template engine. For SPAs, the same logic applies to client-side rendering: any HTML written through innerHTML or React’s dangerouslySetInnerHTML needs to come from trusted source or pass through DOMPurify. A static-analysis pass with Semgrep or ESLint’s security rules catches the common mistakes.
The API surface
For REST, the audit is access-control-heavy: every endpoint should require authentication unless explicitly marked public, every authenticated endpoint should enforce object-level authorisation (the famous “user 42 cannot view user 43’s invoice”), and every mutation should validate the request body against a schema, not just trust the deserialised object. For GraphQL, the audit adds three checks specific to the protocol: introspection should be disabled in production, query depth and complexity should be limited at the resolver layer to prevent denial of service through nested queries, and field-level authorisation should be enforced (a user with read access to Order should not implicitly have read access to Order.customer.creditCardLast4).
Modern teams use a contract-first approach: an OpenAPI or GraphQL SDL document is the source of truth, and the implementation is verified to match the contract. The audit checks that the contract itself does not leak sensitive fields or expose admin-only operations to the public role.
The file-upload surface
File uploads are one of the highest-severity, lowest-frequency findings. The checks are: server-side MIME and magic-byte validation (never trust the Content-Type header from the client), file-size limits enforced at both the web server and the application, randomised filenames written to a non-executable directory, virus scanning on uploaded content if the application stores documents, and an explicit allow-list of accepted extensions rather than a deny-list. The XML-format trap is particular: any XML parser must have external entity resolution disabled (XXE) and entity expansion limited (billion laughs).
Layer 3: supply chain
The supply chain has overtaken application code as the leading source of confirmed breach root causes in 2025. The audit covers four artefact families.
Direct and transitive dependencies
Run npm audit --omit=dev, pip-audit, bundle audit, cargo audit or the equivalent for your stack as part of CI. The signal you want is “zero critical and zero high in the production dependency tree”, then a defined SLA on medium and low. The classic mistake is to scan dev dependencies into the same noise stream as production, then ignore both. Configure the tool to separate them.
The lockfile is the source of truth
Audit the package-lock.json, yarn.lock or Pipfile.lock rather than the manifest. A lockfile pins exact versions and hashes; an unaudited package.json with caret ranges can resolve differently on the next CI run. If your CI does not refuse to build when the lockfile is missing or out of date, the supply-chain check is theatre.
Container base images
For any service shipped as a container, scan the base image with Trivy, Grype or Snyk before merging the Dockerfile change. Pin the base image to a digest, not a tag, and refresh the digest on a schedule rather than letting latest drift. The 2025 dependency-confusion attacks demonstrated that a missing digest pin can resolve to a malicious image overnight.
CI workflow files
Audit every .github/workflows/*.yml for two patterns: pinned uses: references (always to a commit SHA, not a tag or branch), and least-privilege permissions: blocks at the workflow or job level. An action referenced as actions/checkout@v4 can become malicious if the v4 tag is rewritten upstream; the same action referenced by SHA cannot. The same logic applies to GitLab CI’s include: and CircleCI orbs.
Layer 4: secrets management
The fastest way to fail an audit in 2026 is to scan the repository with gitleaks or trufflehog and find a token. The second fastest is to scan the GitHub Actions logs and find a secret printed in an error message because someone forgot to add ::add-mask::. The third is to find a long-lived personal access token used in CI because someone could not be bothered to set up a deploy key.
The audit asks five questions. Is every secret in a secrets manager (Vault, AWS Secrets Manager, Doppler, GitHub Encrypted Secrets) rather than in code or env files? Is every secret rotated on a schedule (90 days for high-privilege, 365 for low)? Is every secret scoped to the smallest blast radius (one project, one environment)? Are there alerts on use of the secret outside the expected context (an IP-restriction policy or a CloudTrail alert)? Are old secrets revoked the moment a new one is issued, not left active “just in case”?
The fifth question is the one that fails most teams. Old secrets accumulate, then a former contractor’s token logs in from an unexpected country three years after the offboarding ticket was closed. A periodic “list all active secrets older than 365 days” report is the single highest-leverage hygiene practice available.
The 2026 tooling stack
The free tools that cover most of the layered audit in 2026 are: nuclei for templated DAST against APIs, Semgrep for static analysis with community rule packs covering all four major web stacks, Trivy for container and IaC scanning, gitleaks or trufflehog for secret scanning, OWASP ZAP for browser-driven scanning of authenticated flows, and SSLLabs (free public service) for TLS verification.
The commercial tier adds defence in depth: Snyk or GitHub Advanced Security for continuous monitoring of the dependency tree with auto-PR remediation, Burp Suite Professional for manual API testing, and a managed WAF (Cloudflare, AWS WAF, Sucuri) for runtime protection. The break-even point between free and commercial is usually around the third audit cycle, when the engineering time spent on triage exceeds the cost of the tool.
Need to audit headers and TLS first?
Use our free HTTP Headers Checker and SSL Certificate Checker to validate the transport layer of any URL in under 10 seconds, then come back to the application and supply-chain layers.
The 25-point audit checklist
Run through this once at site launch, then every quarter, then after every architecture change. Severities are calibrated for a public-facing production web app.
| # | Check | Layer | Severity |
|---|---|---|---|
| 1 | TLS 1.3 enabled, 1.0 and 1.1 disabled, cert > 30 days remaining | Transport | High |
| 2 | HSTS with max-age >= 31536000 + includeSubDomains | Transport | High |
| 3 | CSP at least at default-src 'self' in enforce mode | Transport | High |
| 4 | Six security headers present and correct | Transport | Med |
| 5 | CORS allow-list explicit, no wildcard + credentials combo | Transport | High |
| 6 | Edge rate limits configured per route family | Transport | Med |
| 7 | Every API endpoint requires auth unless explicitly public | Application | High |
| 8 | Object-level authorisation enforced (no IDOR) | Application | High |
| 9 | Request bodies validated against schema | Application | Med |
| 10 | GraphQL introspection disabled in production | Application | Med |
| 11 | GraphQL query depth and complexity limited | Application | Med |
| 12 | SPA dynamic HTML passes through DOMPurify or equivalent | Application | High |
| 13 | File uploads enforce server-side MIME and magic-byte check | Application | High |
| 14 | XML parsers have XXE and entity expansion disabled | Application | High |
| 15 | SSRF mitigations on any URL-fetching feature | Application | High |
| 16 | Direct and transitive deps scanned, zero high/critical in prod tree | Supply chain | High |
| 17 | Lockfile required, CI refuses missing or stale lockfile | Supply chain | Med |
| 18 | Container base images pinned to digest, scanned with Trivy | Supply chain | Med |
| 19 | CI uses: references pinned to commit SHA | Supply chain | Med |
| 20 | CI workflows declare least-privilege permissions: | Supply chain | Med |
| 21 | All secrets in a managed vault, none in code or env files | Secrets | High |
| 22 | Secrets scoped to one project and one environment | Secrets | High |
| 23 | High-privilege secrets rotated every 90 days | Secrets | Med |
| 24 | Old secrets revoked, no active secret older than 365 days | Secrets | High |
| 25 | Repo and CI logs scanned with gitleaks or trufflehog | Secrets | High |
FAQ
How long does a full audit take?
For a medium web app (one frontend, one API, two services, a database), expect three engineering days for the first pass. Subsequent quarterly audits run in a day if the tooling is wired into CI. The first audit is always the slowest because it doubles as the time you discover where every artefact lives.
What is the difference between a security audit and a penetration test?
A security audit is structured, checklist-driven, and aims for completeness across the four layers. A penetration test is exploratory, attacker-mindset, and aims to find one critical chain that an audit might miss. You want both: the audit gives baseline coverage, the pentest catches the creative path. Run the audit quarterly and the pentest annually.
Do I need a SOC2 or ISO 27001 process to do this?
No. The methodology above is independent of compliance frameworks. If you happen to be under SOC2, ISO 27001 or PCI-DSS, this checklist satisfies a significant portion of the security-control requirements. If you are pre-compliance, doing it now makes the eventual audit dramatically cheaper.
How do I audit a SaaS that I integrate but do not control?
Request their latest SOC2 report or security questionnaire, check that they have a public security policy and a vulnerability disclosure programme, verify the data they process is encrypted in transit and at rest, and verify the minimal scope of the API token your application requests. For critical vendors, an annual review of the report is part of layer three.
What about prompt injection and AI API integrations?
Treat any LLM call as an untrusted execution boundary. Sanitise inputs that originate from external content (user uploads, scraped pages, retrieved documents) before they reach the prompt. Separate system and user roles, never concatenate them. Enforce output validation: a model that is allowed to return JSON should be checked against a schema before its result reaches any sensitive action. Log every prompt and response for at least 30 days for forensics.
How do I measure progress between audits?
Track three numbers: the count of open high-severity findings, the median age of an open finding in days, and the count of new high-severity findings introduced in the last quarter. The first two trend toward zero; the third stays low because the layered approach catches regressions early.
