Web app audits
Practical security audits for websites, APIs, portals, and dashboards.
Boni audits the surfaces customers actually expose: login flows, dashboards, APIs, admin panels, staging hosts, upload paths, headers, TLS, and business logic that should not be left to automated scanners alone.
Audit scope map
App, API, access, evidence, closure
Auth and sessions
APIs and inputs
Headers and TLS
Report and retest
Scope
The audit covers the security surfaces that usually create customer risk.
Application surface
Websites, customer portals, admin panels, dashboards, staging hosts, API endpoints, and exposed tooling agreed in scope.
Identity and access
Authentication flows, session handling, authorization boundaries, password reset behavior, token handling, and role leakage.
OWASP-style checks
Injection, XSS, SSRF indicators, access control issues, file handling, misconfiguration, sensitive data exposure, and business logic review.
Transport and headers
TLS posture, HSTS, CSP, frame controls, cookie flags, CORS, cache behavior, security.txt, and public metadata hygiene.
Evidence and reporting
Validated findings, affected URLs, reproduction notes, risk rationale, fix guidance, retest status, and executive summary.
Remediation support
Engineer-facing fix notes, closure proof, retest windows, and severity updates when evidence changes.
Method
Written scope first, scanner evidence second, validated report last.
Scope
Confirm assets, target owners, test windows, exclusions, authentication method, and approval boundaries.
Baseline
Capture DNS, TLS, headers, sitemap/public paths, technology signals, and availability-safe observations.
Scan
Run authorized non-destructive scanner checks and targeted manual review within the written scope.
Validate
Remove false positives, verify impact safely, classify severity, and separate observations from claims.
Report
Deliver an executive summary, technical findings, evidence, remediation guidance, and retest plan.
Deliverables that engineering and leadership can both use.
The report keeps technical evidence and executive interpretation connected, but not confused. Findings are written so owners can fix them and leaders can understand the exposure.
Scope memo and authorization record
Validated vulnerability register
Evidence pack with screenshots or request/response notes where appropriate
Executive risk summary
Engineering remediation guidance
Retest notes and closure status
Engagement types
Start with the smallest scope that can create real confidence.
Best for one target
Mini scan
A narrow authorized scanner sweep for one public asset, designed to quickly decide whether a deeper audit is warranted.
Best for startups and SMEs
Starter VAPT
A focused web or API audit with validation, remediation guidance, and a report suitable for internal security review.
Best for customer assurance
Audit plus retest
A larger audit window with remediation tracking, retest evidence, and report packaging for customer or procurement conversations.
FAQ
Can Boni test authenticated areas?
Yes, but only when the customer provides written authorization, scope, and test accounts or approved access. Boni does not attempt login or credential guessing in public-preview work.
Will the audit disrupt production?
The default approach is non-destructive and availability-safe. Rate limits, excluded flows, production-sensitive actions, and test windows are agreed before scanning.
Do you provide a formal report?
Yes. The report includes scope, methodology, validated findings, severity, evidence, business impact, remediation guidance, and retest status where applicable.