BrowserAudit is a free web-based service for testing web browsers' implementations of various security policies. The BrowserAudit test suite currently contains 431 tests exercising policies including the same-origin policy, the Content Security Policy, and HTTP Strict Transport Security.
BrowserAudit reports results in the browser as the tests are executed. Results are colour-coded using a simple "traffic light" system; advanced users may drill down to view the pass/fail status and the source code of individual tests by clicking on elements of the UI. Categories are also colour-coded according to whether they contain any failing tests.
Please note that BrowserAudit is designed to be hosted on a web server, and accessed from a web browser. The simplest way to use BrowserAudit is to visit the public service we host at https://browseraudit.com.
This repository contains the full client-side and server-side source code, including a database dump of the test suite, for those who want to contribute improvements or bug fixes to the project, or want to run browser testing locally.
The code in this repository assumes to be hosted on [test.]browseraudit.{com,org}. To test locally, you need to resolve your domains correctly, for example adding the snippet below at the end of your /etc/hosts file:
127.0.0.1 www.browseraudit.com
127.0.0.1 browseraudit.com
127.0.0.1 test.browseraudit.com
127.0.0.1 browseraudit.org
127.0.0.1 test.browseraudit.org
You also need a local Certificate Authority and a TLS certificate for the domains above.
openssl genrsa -out browserauditCA.key 4096
openssl req -x509 -new -nodes -key browserauditCA.key -sha256 -days 1825 \
-out browserauditCA.pem \
-subj "/CN=browserauditCA"
Install browserauditCA.pem as a trusted Certificate Authority in the browsers you want to test.
openssl genrsa -out privkey.pem 2048
openssl req -new -key privkey.pem -out request.csr \
-subj "/CN=browseraudit.com" \
-addext "subjectAltName=DNS:browseraudit.com,DNS:www.browseraudit.com,DNS:test.browseraudit.com,DNS:browseraudit.org,DNS:test.browseraudit.org"
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = browseraudit.com
DNS.2 = www.browseraudit.com
DNS.3 = test.browseraudit.com
DNS.4 = browseraudit.org
DNS.5 = test.browseraudit.org
openssl x509 -req -in request.csr -CA browserauditCA.pem -CAkey browserauditCA.key -CAcreateserial \
-out fullchain.pem -days 365 -sha256 -extfile v3.ext
cat browserauditCA.pem >> fullchain.pem
openssl verify -CAfile browserauditCA.pem fullchain.pem
BrowserAudit makes use of geolocation data published by MaxMind. Get the (free) geolocation database file GeoLite2-Country.mmdb from GeoLite2 and place it in the directory geoip of this repo.
BrowserAudit is designed to be hosted on a server running the following software:
- nginx, a HTTP(S) server
- PostgreSQL, a relational database server
- Memcached, a memory caching system
- The Go programming language
Luckily, BrowserAudit is fully containserised with Docker, so the main dependency is just a recent version of Docker (Docker Engine >= 23.0). If you want to change the defualt configuration please inspect docker-compose.yml, app.Dockerfile and nginx/nginx.Dockerfile and you will be able to track down the various configuration files.
WARNING: the configuration file
development-server.ymlis intended for local development only, and for ease of use it contains hard-coded, insecure passwords. If you plan to deploy BrowserAudit publicly make sure to change these.
Go to the root directory of this repo, run docker compose up and cross your fingers 😁.
# install once, then start each time BrowserAudit
docker compose up
# check that everything is running (you should see 4 containers)
docker ps
# stop everything
docker compose down
# while running, interact with a container
docker exec -it <container_id_or_name> /bin/bash
# example: check the database
docker exec -it postgres /bin/bash
# once on the postgres container shell, inspect the database
psql -U browseraudit_user -d browseraudit_db
The recommended usage is to start all the containers, then edit the go, js, html files in the repo, and the go_app container will watch for changes and build/deploy BrowserAudit automatically for you.
If you'd like to integrate your changes with the main Browseraudit project, see the CONTRIBUTING.md file for details.
We use Gofmt, Staticcheck, and Prettier for formatting and linting. Configuration files for these are included in the repository.
To format Go code, you can use the command:
gofmt -w .
To format JS, HTML and CSS files, you can use the command:
npx prettier --write .
To check for linting issues with Go code, you can use the command:
$(go env GOPATH)/bin/staticcheck
BrowserAudit is free software, licensed under the terms of the 2-clause BSD license. See the LICENSE file for further details.
This project has benefited from the contributions of several individuals over the years. We thank, in alphabetical order, Charlie Hothersall-Thomas, Luqman Liaquat, Sergio Maffeis, and Chris Novakovic for their efforts.
The initial research on BrowserAudit was partially supported by EPSRC grant EP/I004246/1 and EPSRC grant EP/K032089/1. The initial deployment of BrowserAudit was partially supported by a GCHQ Academic Cyber Funding Small Grant. Since 2015 BrowserStack has generously provided support in kind, by providing us with a free plan to access their browser testing automation framework. Since December 2024 we acknowledge and thank NLnet and the European Commission's Next Generation Internet programme NGI0 Core for their support which we hope will help us foster contributions from the developers community.
If you would like to cite BrowserAudit in your academic work, please cite our ISSTA 2015 conference paper:
Charlie Hothersall-Thomas, Sergio Maffeis and Chris Novakovic. BrowserAudit: Automated Testing of Browser Security Features. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015), Baltimore, MD, USA, July 12-17, 2015. ACM 2015, ISBN 978-1-4503-3620-8.