OPC Security Checkup

Goal

Help one-person companies find the security issues that are most likely to hurt trust, launches, payments, signups, SEO, or customer support capacity. Keep the work defensive, lightweight, and owner-oriented: identify public exposure signals, explain business impact, and produce a prioritized remediation plan.

Do not attempt exploitation, authentication bypass, brute force, credential stuffing, intrusive scanning, destructive testing, or bypassing access controls. If ownership or permission is unclear, ask the user to confirm authorization before testing the asset.

Quick Workflow

1. Confirm the target is owned or authorized when needed.
2. Normalize targets into full URLs, preferring https://.
3. Run the bundled script for public web checks:

python scripts/opc_security_checkup.py https://example.com --output report.md

1. Read references/risk-playbook.md when interpreting results or adding manual findings.
2. Produce a report with these sections:
• Executive summary
• Asset profile
• Risk ranking
• Findings with evidence
• 7-day solo founder fix plan
• 30-day maturity plan
• Retest checklist

Use assets/report-template.md as the structure when the user wants a polished deliverable.

What To Check

Prioritize checks that matter for a tiny team:

• Trust blockers: broken HTTPS, expired TLS, mixed redirects, missing security contact, obvious stack leakage.
• Customer data exposure risk: weak cookie flags, missing HTTPS-only transport, permissive CORS if visible, public debug endpoints only when explicitly provided by the user.
• Account and payment surface: signup/login/reset pages, admin paths disclosed by the user, webhook endpoints disclosed by the user.
• Launch readiness: missing HSTS, missing CSP or weak CSP, missing clickjacking protection, overexposed server headers, missing security.txt.
• Operational resilience: lack of backup/incident checklist, no dependency update routine, no owner-facing retest checklist.

Avoid low-signal filler. A missing header is not automatically critical. Tie severity to reachable functionality, data sensitivity, and solo-operator workload.

Using The Script

The script performs non-intrusive HTTP/TLS checks using Python standard library only. It checks:

• DNS resolution
• HTTP to HTTPS behavior
• TLS certificate expiry
• Redirect chain
• Security headers
• Cookie flags
• Common public metadata endpoints: /robots.txt, /.well-known/security.txt, /sitemap.xml

Useful commands:

python scripts/opc_security_checkup.py https://example.com
python scripts/opc_security_checkup.py example.com app.example.com --output opc-report.md
python scripts/opc_security_checkup.py https://example.com --json output.json

If the script fails because of network policy or TLS errors, report the failure as evidence and continue with manual guidance rather than inventing results.

Reporting Style

Write in Chinese by default for Chinese users. Be concrete:

• Say what was observed.
• Explain why it matters to an OPC.
• Give the smallest practical fix.
• Mark owner effort: 15分钟, 半天, 1天, or 需要服务商.
• Separate confirmed findings from recommended checks.

Severity guidance:

• P0: Direct data exposure, credential leakage, payment/account takeover path, or active incident indicator.
• P1: Likely exploitable misconfiguration on customer/account/payment surfaces.
• P2: Trust or hardening gap with plausible abuse path.
• P3: Hygiene issue or documentation/process gap.

For every finding, include:

### [P2] Finding title

- Evidence: observed URL/header/status/config.
- Impact: business and user risk.
- Fix: exact owner action.
- Retest: simple command or browser check.
- Effort: time estimate.

Manual Enrichment

When the user provides repository files, deployment notes, screenshots, or cloud settings, add manual checks:

• .env, secrets, API keys, webhook secrets, OAuth callback URLs.
• Auth/session settings, password reset flow, admin route protection.
• Database exposure, storage bucket permissions, backup/restore process.
• Payment webhook validation and idempotency.
• Customer support incident script.

Keep manual checks scoped to provided materials. Do not claim external facts without evidence.

OPC Angle

Make the report useful for one person with limited time:

• Rank fixes by risk reduction per hour.
• Prefer managed controls when appropriate: CDN WAF, platform security headers, hosted auth, managed backups.
• Include a launch gate: what must be fixed before public launch.
• Include a recurring routine: monthly patch check, quarterly access review, incident contact update.

End with a short retest checklist the user can run after changes.