Security Testing

Overview

CodeFrog provides comprehensive security scanning capabilities to help identify vulnerabilities, security misconfigurations, and potential security risks in your codebase.

HTTPS-First with HTTP Retry

CodeFrog uses an HTTPS-first approach for all network communications:

Primary Attempt: All requests default to HTTPS
Automatic Retry: If HTTPS fails, the system automatically retries with HTTP
Security Warning: HTTP connections are logged with security warnings
Best Practice: Always prefer HTTPS endpoints when available

This approach ensures maximum security while maintaining compatibility with legacy systems.

Skipping Sensitive File Probing

CodeFrog’s security scanner probes for exposed sensitive files and directories by requesting paths like /.git/, /.svn/, /.env, /composer.json, /package.json, /phpinfo.php, /server-status, and others. It also checks for directory listing on paths like /backup/, /logs/, and /uploads/.

The Problem: False Positives on Catch-All Sites

Some websites are configured to return a default page (HTTP 200) for any route instead of a proper 404 Not Found response. When this happens, the scanner interprets the 200 response as an exposed sensitive file, generating false positive findings marked as Critical or High severity.

For example, a site like https://example.com/.git might return the site’s homepage with a 200 status, which the scanner would flag as an exposed Git repository.

How to Skip Probing

To avoid these false positives, enable the “Skip sensitive file probing” checkbox:

Mega Report: In the report configuration dialog, check “Skip sensitive file probing (.git, .svn, .env, etc.)” below the URL input
Bulk Security Scanner: Check “Skip file probing (.git, .svn, .env)” in the scan options area

When enabled, the scanner will skip all sensitive file/directory probing and directory listing checks. Other security checks (headers, CORS, TLS, cookies, etc.) will still run normally.

In the Report

When probing is skipped, the security section of the report will display an info banner noting that sensitive file probing was skipped. You can click “Re-run with probing” to generate a new report with probing enabled, or vice versa.

Secrets Detection Basics

CodeFrog integrates with Gitleaks for comprehensive secrets detection. See the Secrets / Gitleaks page for detailed information about:

What secrets are and why they matter
How Gitleaks works
Default exclusion patterns
Adding custom exclusions
Exporting and acting on results

Security Headers

Security headers are HTTP response headers that instruct browsers how to handle your website’s content. They provide defense-in-depth protection against common web vulnerabilities.

CodeFrog checks for the presence and proper configuration of security headers including:

HSTS (Strict-Transport-Security): Enforces HTTPS connections to prevent MITM attacks
X-Content-Type-Options: nosniff: Prevents MIME-sniffing and content type confusion attacks
Referrer-Policy: Controls referrer information leakage to third-party sites
X-Frame-Options / CSP frame-ancestors: Prevents clickjacking attacks
Content-Security-Policy (CSP): Restricts resource loading sources to reduce XSS impact
Permissions-Policy: Controls browser feature access (camera, microphone, geolocation, etc.)
Cross-Origin-Opener-Policy (COOP): Isolates browsing context from cross-origin windows
Cross-Origin-Embedder-Policy (COEP): Requires cross-origin resources to opt in to embedding
Cookie Security Flags: Secure, HttpOnly, and SameSite flags to prevent cookie theft and CSRF

Without security headers, your site relies on default browser behavior, which is often permissive and can leave you vulnerable to XSS, clickjacking, MITM attacks, and information leakage.

For detailed information about each header, what it prevents, and how to configure it, see the Security Headers: Why They Matter guide.

See also the What We Check page for a complete list of all security checks performed by CodeFrog.

TLS / Certificate Analysis

CodeFrog performs transport-layer security analysis on your target site’s TLS configuration. These checks focus on real-world security, compliance, and best practices.

Certificate Checks

Certificate expiration: Warns if the certificate expires within 30 days; flags as high severity if already expired
Self-signed certificate: Detects certificates where the issuer matches the subject, indicating a self-signed certificate not trusted by browsers
Not-yet-valid certificate: Flags certificates with a start date in the future
Hostname mismatch: Verifies that the target hostname appears in the certificate’s Subject Alternative Names (SAN); flags if missing
RSA key strength: Flags RSA keys smaller than 2048 bits as weak; reports ECDSA key usage as a positive informational finding

Transport Checks

HTTP to HTTPS redirect: Checks whether HTTP requests are properly redirected to HTTPS; flags sites that serve content over plain HTTP without redirect
Redirect chain length: Reports when the HTTP-to-HTTPS redirect chain exceeds one hop
HSTS configuration: Beyond basic presence, checks that the max-age is at least 6 months, and reports missing includeSubDomains and preload directives

Protocol & CDN Detection

ALPN / HTTP/2: Detects HTTP/2 support via ALPN negotiation during the TLS handshake
HTTP/3: Detects HTTP/3 advertisement via the Alt-Svc response header
CDN detection: Identifies CDN providers (Cloudflare, AWS CloudFront, Akamai, Fastly) from response headers

TLS Protocol Version Detection

CodeFrog uses native platform code (iOS: Network.framework, Android: SSLSocket) to probe which TLS protocol versions a server accepts:

TLS 1.0 detection: Flags servers that still accept deprecated TLS 1.0 connections (medium severity). TLS 1.0 has known vulnerabilities (BEAST, POODLE) and fails PCI-DSS compliance.
TLS 1.1 detection: Flags servers that still accept deprecated TLS 1.1 connections (medium severity). TLS 1.1 is deprecated per RFC 8996.
TLS 1.3 absence: Reports when a server does not support TLS 1.3 (informational). TLS 1.3 offers improved security and reduced handshake latency.

Not Yet Supported

The following checks are planned for a future release:

Cipher suite analysis (CBC, 3DES, RC4, etc.)
OCSP stapling detection
Insecure TLS renegotiation detection

For comprehensive cipher analysis, we recommend using SSL Labs Server Test — a free tool that performs deep TLS inspection including cipher suite enumeration and certificate chain validation.

Vulnerability Coverage

The security scanner checks for:

Common Vulnerabilities

SQL Injection: Unsanitized database queries
Cross-Site Scripting (XSS): Unescaped user input
Command Injection: Unsafe command execution
Path Traversal: Directory traversal vulnerabilities
Insecure Dependencies: Known vulnerable packages
Hardcoded Credentials: Secrets in code
Weak Cryptography: Outdated or weak encryption

Severity Levels

Vulnerabilities are categorized by severity:

Critical: Immediate action required, potential for data breach
High: Should be addressed soon, significant security risk
Medium: Moderate risk, should be planned for remediation
Low: Minor risk, consider fixing in next update
Info: Informational findings, not necessarily vulnerabilities

Note: The scanner includes zero-count severities in reports, meaning if no issues are found in a category, it will still be listed as “0 Critical, 0 High, etc.” This helps verify that all categories were scanned.

Excluding Third-Party Code

By default, CodeFrog excludes common third-party directories from security scans:

Pods/ - CocoaPods dependencies
node_modules/ - npm dependencies
vendor/ - Vendor libraries
builds/ - Build artifacts
dist/ - Distribution files
*.log - Log files

This prevents false positives from dependencies you don’t control and speeds up scans.

Custom Exclusions

You can add custom exclusion patterns:

Open Project Settings
Navigate to Security Settings
Add exclusion patterns:
- File extensions: *.min.js, *.bundle.js
- Directory paths: legacy/, third-party/
- Specific files: config/old-secrets.json

Bulk Scanning

Scan First N Unscanned Files

For large codebases, you can perform incremental scans:

Select “Scan First N Unscanned” option
Specify the number of files (e.g., 100, 500, 1000)
The scanner will:
- Skip files already scanned in previous runs
- Focus on new or modified files
- Maintain a scan history database

This is useful for:

Initial scans of large repositories
Regular incremental security checks
CI/CD integration with limited time budgets

Running Security Scans

Open your project in CodeFrog
Navigate to the Analyze tab
Select Security from analysis options
Configure scan settings:
- Choose directories to scan
- Set exclusion patterns
- Select severity levels to report
Click Run Scan

Interpreting Results

Scan Report Structure

Summary: Total issues by severity
File-by-File: Detailed findings per file
Issue Details: Description, severity, and remediation guidance
False Positive Marking: Mark issues as false positives to exclude from future scans

Acting on Results

Prioritize by Severity: Start with Critical and High issues
Review Context: Understand why the issue was flagged
Verify False Positives: Mark legitimate false positives
Plan Remediation: Create tasks or tickets for fixes
Re-scan After Fixes: Verify issues are resolved

Export and Integration

Security scan results can be exported for:

CI/CD Pipelines: JSON format for automated checks
Issue Tracking: Import findings as tasks or tickets
Compliance Reports: Formatted reports for audits
Team Sharing: Markdown or HTML reports

Best Practices

Regular Scans: Run security scans regularly, not just before launch
Fix Critical Issues Immediately: Don’t delay on critical vulnerabilities
Review Dependencies: Keep third-party packages updated
Use HTTPS: Always prefer HTTPS endpoints
Don’t Commit Secrets: Use environment variables or secure storage
Review Exclusion Patterns: Ensure you’re not excluding important code

Secrets / Gitleaks - Detailed secrets detection guide
OSV / Supply Chain - Open Source Vulnerability database