Website Security Audit UK
— What We Check
and Why It Matters

A website security audit isn't just for large enterprises. Any web application that stores user data, takes payments, or connects to a database is a target. At Niobotics, we perform comprehensive security audits for businesses across the UK for around £100 — including a full written report with remediation steps.

Here's exactly what we check.

1. OWASP Top 10 Assessment

The OWASP Top 10 is the industry-standard list of the most critical web application security risks. We test every item:

• A01 — Broken Access Control: Can users access data they shouldn't? Can they escalate privileges?
• A02 — Cryptographic Failures: Is sensitive data encrypted in transit and at rest? Are deprecated TLS versions in use?
• A03 — Injection: SQL injection, NoSQL injection, command injection, LDAP injection
• A04 — Insecure Design: Are there architectural flaws that make the system inherently insecure?
• A05 — Security Misconfiguration: Default credentials, verbose error messages, unnecessary features enabled
• A06 — Vulnerable Components: Outdated npm packages, frameworks with known CVEs
• A07 — Authentication Failures: Weak password policies, missing account lockout, exposed session tokens
• A08 — Software and Data Integrity Failures: Unsigned packages, insecure deserialisation
• A09 — Security Logging Failures: Are security events being logged? Are logs protected?
• A10 — Server-Side Request Forgery (SSRF)

2. Exposed sensitive files

One of the most common vulnerabilities we find is sensitive files accidentally made publicly accessible. We scan for:

• .env files containing API keys and database passwords
• /admin, /wp-admin, /.git directories exposed to the public
• Backup files (.sql, .bak, .zip) accessible via predictable URLs
• API keys leaking through client-side JavaScript bundles
• Stack traces and verbose error messages revealing server configuration

3. Database security

For Supabase-based applications, we review:

• Row-Level Security (RLS) policies — are they correctly configured so users can only access their own data?
• Direct database access — is the Supabase anon key used correctly?
• Service role key exposure — is it ever used client-side?
• Database schema design — are there structural vulnerabilities like missing foreign key constraints?

4. API endpoint security

• Unauthenticated endpoints that should require auth
• Missing rate limiting (allows brute-force attacks)
• CORS misconfigurations allowing cross-origin requests from any domain
• IDOR (Insecure Direct Object References) — can a user manipulate IDs to access other users' data?
• Mass assignment vulnerabilities — can a user modify fields they shouldn't?

What you receive

After the audit you receive a written report detailing every vulnerability found, its severity (Critical / High / Medium / Low), the exact location in your codebase, and specific remediation steps. We also fix critical issues as part of the audit for no extra charge.