WSCS - Web Security & Compliance Scan.
WSCS watches the browser-facing controls that drift when teams ship quickly: security headers, third-party scripts, cookies, consent behavior, preview hosts, and checkout-adjacent pages.
Coverage with explainable detection technique.
Security headers and browser policy
CSP, HSTS, X-Frame-Options, Permissions-Policy, Referrer-Policy, COOP, COEP, mixed-content posture, and downgrade risk are scanned with deterministic checks plus semantic review of business context.
Client-side script exposure
Inline JavaScript, unsafe-eval, third-party scripts, missing integrity, abandoned CDNs, public sourcemaps, leaked endpoints, and checkout-page script risk are correlated with host purpose and data sensitivity.
Cookie and privacy heuristics
Cookie flags, consent behavior, analytics hints, third-party trackers, SameSite defaults, secure attributes, retention language, and GDPR-facing implementation clues are reviewed for practical risk signals.
Web asset change monitoring
The module tracks regressions across live domains, preview hosts, staging surfaces, and marketing pages, then routes findings to the team that owns the affected route instead of burying them in a generic scan report.
A finding built for remediation, not screenshots.
Each module produces a structured evidence pack with severity, business impact, and a runbook excerpt that can be routed to Slack, Jira, Linear, ServiceNow, GitHub, webhook, or SIEM depending on tier.
PDF FINDING PREVIEW
Checkout subdomain permits unsafe inline script with billing metadata
Evidence pack
- Content-Security-Policy includes unsafe-inline and wildcard script-src on checkout host.
- Third-party analytics script loads without Subresource Integrity.
- Cookies include session-like metadata without SameSite=Lax or SameSite=Strict.
- Semantic AI classifies the host as payment-adjacent based on route text and script names.
Business impact
A script injection or compromised third-party script could observe billing-adjacent metadata and session context. The finding is routed as high severity because the host handles commercial workflow, not because a header is missing in isolation.
Remediation runbook
1. Remove unsafe-inline from checkout CSP. 2. Add nonce or hash-based script policy. 3. Add SRI to third-party scripts or self-host vetted code. 4. Set Secure, HttpOnly, and SameSite flags where applicable. 5. Re-scan checkout and preview hosts.
Included where the workflow needs it.
| Tier | Included | Asset limits |
|---|---|---|
| Community | Not included | Core EASM only |
| Pulse | Not included | CI/CD Shield, no WSCS |
| Shield | Included | 150 assets, web security and compliance scan |
| Fortress | Included | 500 assets, SaintScan handoff available |
| Sentinel | Included | Unlimited by engagement, managed web posture review |
Ships findings into the systems that already own remediation.
READY FOR REVIEW
Run this module against authorized scope.
Start with a free scan or route an enterprise module review to sales.