twa - Man Page
tiny web auditor with strong opinions
Synopsis
Description
twa takes a DOMAIN hosting a website and performs a short security audit. It can be used to detect HTTP(S) issues, missing security headers, information-leaking headers, and other potential security hazards.
twa takes only one DOMAIN at a time. If you need to audit multiple sites, run the program again.
Options
- -v
Verbose mode.
- -w
Perform the audit on the main DOMAIN and the www. subdomain.
- -c
Emit output in CSV.
- -s
Run testssl-based checks (skipped by default)
- -d
Disable scanning common development ports
- -V
Print the version and exit.
- -h
Print a help message and exit.
Environment
- NO_COLOR
Don't colorize output, even when on a TTY.
- TWA_TIMEOUT
The maximum length, in seconds, for internal curl calls.
- TWA_USER_AGENT
The User-Agent to use for all curl calls.
- TWA_CURLOPTS
Any additional options to pass to curl calls.
Test Results
Each line of output describes the result of a single test, and follows the "RESULT(DOMAIN): explanation" format, where RESULT is one of the following:
- PASS
The test passed with flying colors.
- MEH
The test passed, but with one or more things that could be improved.
- FAIL
The test failed, and should be fixed.
- UNK
The server gave us something we didn't understand.
- SKIP
The server gave us something we understood, but that we don't handle yet.
- FATAL
A really important test failed, and should be fixed immediately.
Bugs
None known. File issues at: https://github.com/trailofbits/twa
Author
twa is maintained by William Woodruff (<william @ trailofbits.com>).