Skip to main content
DataSouv
Audit
Application security

Technical security audit — article 23 of Law 09-08 taken seriously

Non-intrusive evaluation of your website's security posture: HTTP headers, TLS, attack surface, anti-spoofing email configuration, cookies, DNS. Methodology aligned with Mozilla Observatory and OWASP ASVS. Application pentest available with contractual Rules of Engagement.

Request a quoteFree audit in 60 seconds

What we check

Eight domains, from encryption to public exposure

Application security is not just about a TLS certificate. Here are the areas we systematically address, which free scanners only half cover.

  • HTTP security headers

    Content-Security-Policy, Strict-Transport-Security (HSTS, preload, includeSubDomains), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin Isolation. Direct comparison with Mozilla Observatory scoring.

  • TLS and encryption

    Supported TLS versions (1.2/1.3), cipher suites, certificate (chain, duration, transparency log), HSTS preload list, systematic HTTP → HTTPS redirection, HPKP/CAA where relevant.

  • External attack surface

    Inventory of exposed subdomains, accessible services (HTTP, API, admin, dev, staging), obsolete endpoints, version signatures, forgotten debug headers. Search for accidental exposure via certificate transparency.

  • Email configuration (anti-spoofing)

    SPF, DKIM, DMARC (with reject/quarantine policy, alignment, rua/ruf). MTA-STS, TLS-RPT. Verification that nobody can send email on your behalf — a baseline before any CNDP communication.

  • Cookies and trackers

    Inventory of cookies set before and after consent. Detection of third-party trackers (Google, Meta, LinkedIn, etc.), fingerprinters and cross-origin connections. Test of actual runtime blocking.

  • DNS and infrastructure

    DNSSEC, presence of CAA, exposure of obsolete records (TXT, SRV), recursive resolvers, anycast. For critical sites: subdomain takeover resilience testing.

  • Common vulnerabilities (OWASP)

    Passive tests aligned with OWASP ASVS L1: injection (client-side GET/POST parameters), reflected XSS, CORS configuration, error sensitivity, stack trace exposure, session management. No exploitation, detection only.

  • CNDP compliance

    Legal notice, privacy policy, compliant cookie banner, security.txt (RFC 9116), breach notification procedure (article 23 of Law 09-08 and CNDP obligations).

Two levels

Standard audit or application pentest

Depending on your application's exposure, the non-intrusive audit suffices or a pentest is required. We honestly steer you to the relevant level — not systematically the most expensive one.

Standard non-intrusive audit

5 to 7 business days

Brochure sites, e-commerce, public applications in production. No prior authorisation required — strictly public observation.

  • Technical report of 25 to 40 pages
  • Simulated Mozilla Observatory score before/after
  • Prioritised remediation list with code examples
  • External attack surface mapping
  • 60-minute verbal debrief

Investment: from 15,000 MAD

Application pentest

10 to 20 business days

Applications with authentication, payment, API, customer area. Requires a Rules of Engagement contract (scope, windows, method), written authorisation and ideally a test environment.

  • OWASP ASVS L2 or L3 tests depending on the profile
  • Technical report with proof-of-concept and CVSS
  • Severity, exploitability, remediation recommendations
  • Free re-test within 60 days on the corrected scope
  • Separate management and technical debriefs

Investment: on quote

Methodology

Five steps, traceable and contracted

  1. 1

    Scope and authorisation

    Contractual definition of the scope: domains, subdomains, applications, time windows, authorised methods (passive only vs. active testing). Exchange of technical contacts for incident handling.

  2. 2

    Passive reconnaissance

    Collection of public information only: DNS, certificate transparency, public archives, HTTP headers. No aggressive interaction with your infrastructure.

  3. 3

    Targeted testing

    Based on reconnaissance, targeted tests within the authorised scope. All tests are tracked, timestamped and strictly limited to what was contractually authorised. Automated tests + manual investigation.

  4. 4

    Findings validation

    Every vulnerability is manually validated to eliminate false positives. Severity scored under CVSS v3.1. Exploitability documented without crossing the agreed threshold.

  5. 5

    Report and remediation

    Prioritised report with remedial code examples where applicable. Guided remediation if you wish (pull request review, coaching of your team).

Frequently asked questions

What we are asked on the technical side

Why a non-intrusive audit?

Two reasons. First, many sites can be audited at 70-80% by public observation of headers, DNS and the exposed surface — that captures most of the value. Second, a non-intrusive audit requires no heavy authorisation or maintenance window and can start immediately. Application pentests are reserved for contexts where the non-intrusive audit no longer suffices.

Do you need access to my infrastructure?

For the non-intrusive audit, no. Everything is done from the outside, as an ordinary user would. For the application pentest, we usually need test accounts with different privilege levels and ideally a pre-production environment identical to prod. Everything is contracted up front.

Doesn't my host (Hostinger, OVH, etc.) already cover everything?

No. The host provides infrastructure and sometimes a WAF, but the application-level configuration (CSP headers, cookies, session management, server-side validation, email anti-spoofing) remains your responsibility. Most Moroccan sites we audit ship default configurations that fail under a free scanner within an hour.

Is the report usable by my current provider?

Yes, that is precisely the goal. The report is written so it can be handed to any competent technical team — yours, your agency, your integrator. When a fix requires a server configuration change, we provide the exact example (Nginx snippet, Apache, next.config file, etc.).

Do you cover load or resilience testing?

No, not in this service. Our scope is application security and technical compliance. For load, performance or outage-resilience testing, we refer you to specialists — or coordinate the engagement if you wish.

Is there a link with CNDP compliance?

Direct. Article 23 of Law 09-08 obliges the controller to implement appropriate technical measures to secure data. A website without HSTS, without CSP, with tracker cookies before consent, is not only technically vulnerable: it is in breach. We systematically cross-reference technical findings with CNDP requirements.

Free test in 60 seconds

See the state of your site before requesting a quote

Our online audit tool gives you a first indicative score on headers, TLS and CNDP compliance. Free, no mandatory email, immediate.

Run the free auditTalk to a human