How I Built a Security Auditor for Small Businesses in One Night

Last Tuesday my friend asked me a simple question: "Is my bakery's website secure?" He's got a WordPress site, takes online orders, and stores customer emails. He had absolutely no idea if any of it was safe.

I did a quick manual check. Expired SSL certificate. No security headers. Email addresses exposed in the source code. No DMARC on his domain. His site was essentially a "hack me" sign.

The thing is, he's not stupid — he's a baker. He shouldn't need to understand certificate chains or Content-Security-Policy headers. But the existing tools? Either too technical (SSL Labs dumps a wall of cipher suite data) or too shallow (most "security scanners" just check if SSL exists, not if it's configured correctly).

So I built SMB Security Auditor — paste a URL, get an A-F grade, see exactly what's wrong and how to fix it.

The Core Insight

Small business owners don't need penetration testing. They need a health checkup. The kind that says "you're at a B, here are the 3 things that would get you to an A" — not "your server is vulnerable to CVE-2024-XXXX."

That framing changed everything. Instead of building a security scanner, I built a grading system. Each check gets scored 0-10, the scores roll up into categories (SSL, Headers, DNS, Exposure), and categories roll into an overall grade.

function calculateGrade(score: number) {
  if (score >= 90) return { grade: 'A', color: 'emerald' };
  if (score >= 80) return { grade: 'B', color: 'blue' };
  if (score >= 70) return { grade: 'C', color: 'amber' };
  if (score >= 50) return { grade: 'D', color: 'orange' };
  return { grade: 'F', color: 'red' };
}

Simple. Visual. Immediately understandable.

What I Built

The stack is Next.js 16, Tailwind v4, shadcn/ui, TypeScript — my standard nightly-build stack at this point. But the interesting part is the audit engine.

I'm running five independent checks:

SSL/TLS — Certificate validity, expiration, protocol version, chain trust
Security Headers — CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy
DNS Configuration — SPF, DKIM, DMARC records (email authentication)
Email Exposure — Scanning page source for exposed mailto links and plaintext emails
Common Vulnerabilities — Directory listing, exposed admin panels, server version disclosure

Each check returns a structured result with a score, status (pass/warn/fail), and a human-readable explanation with a concrete fix.

The scoring weights matter. SSL and headers are weighted higher than email exposure because a missing CSP is a bigger deal than a published support email. Getting this balance right took some iteration — I started with equal weights and the grades didn't feel right.

What Surprised Me

Most sites are worse than you'd think. I tested 20 random small business websites from Google Maps. Only 2 scored above a B. The average was a D+. Missing DMARC records were nearly universal. Several had expired certificates.

The fix-it checklist was the most important feature. People don't just want to know they're failing — they want to know exactly what to do. "Add this line to your DNS" is infinitely more useful than "configure DMARC."

Client-side scanning is limited but good enough. I can't do deep port scans or server-side checks from the browser. But for the use case — small business health checks — client-side headers analysis and DNS lookups cover 80% of common issues.

What I'd Do Next

The obvious next step is a server-side scanning API. A proper backend could do port scanning, deeper SSL analysis, subdomain enumeration, and check for known vulnerabilities in detected CMS versions.

I'd also love to add scheduled monitoring — "email me if my grade drops" — because security isn't a one-time thing. Certificates expire. Headers get lost in redesigns. SPF records break when you switch email providers.

Try It

I built this in one evening. It's free, no signup required. Paste your URL and see your score:

SMB Security Auditor →

And if you run a small business — seriously, check your site. You might be surprised.