Automated Website Security Audit: With n8n and OpenAI

I have been using it for a long time n8n to automate various processes, both in my daily work and in my personal projects.
It is a platform that I find extremely versatile: it allows you to create complex workflows by integrating APIs, cloud services, monitoring systems and, more recently, even artificial intelligence models.

Among the various flows I have experienced, the one that has given me the most satisfaction is the Website Security Auditor, based on a public template available on n8n.io.
This is a workflow that performs a automatic website security audit, using AI to analyze headers, configurations, and client-side code, and then send a detailed report via email.

Safety as a priority

The security of my sites—and especially that of my visitors—has always been a priority.
Even though my projects do not handle logins, payments, or sensitive data, I consider it essential to prevent common attacks and vulnerabilities such as:

  • Cross-Site Scripting (XSS)
  • Content Injection or Clickjacking
  • Incorrect HTTPS configurations
  • Lack of essential security headers

These issues can not only compromise the user experience, but in some cases allow malicious users to exploit my sites as attack vectors against others.
Automating security checks allows me to maintain a constant level of protection without having to run manual tests with every update.

How the workflow works

The flow starts simply: I enter the URL of the site to analyze and n8n performs a series of automatic steps:

  1. Do the content fetch and of the HTTP header of the site.
  2. Pass the data to two AI modules (based on GPT-5) that perform:
    • a’security configuration analysis (HTTP headers, cookies, CSP, HSTS, etc.);
    • a’HTML and JavaScript content analysis, to identify client-side vulnerabilities.
  3. The results are aggregated and transformed into a professional HTML report, with a safety score (from F to A+) and concrete suggestions for correction.
  4. Finally, the workflow automatically send the report via email, complete with graphs and colored sections for immediate reading.

It's a system non-invasive, which analyzes only public information on the site and provides a clear picture of its security level.

From initial problems to concrete improvements

When I ran the first tests on paoloronco.it, the initial scores were quite low (class D).
By analyzing the results and following the recommendations generated by the report, I implemented various Cloudflare Rules to add missing security headers, such as:

  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=()
  • Referrer-Policy: strict-origin-when-cross-origin

After these changes, the score went up to TO-, with a solid configuration and in line with best practices.

I applied the same logic to my other projects as well, including static ones on Vercel, via the file vercel.json, so you can easily extend protection to subdomains as well.

Small technical challenges

The only limitation found concerns the large sites, where the “Security Vulnerabilities Audit” analysis module can fail for inputs too long (token limit) or timeout.
To mitigate this, I'm considering segmenting the analysis or switching to a version of the model with extended context, so I can maintain automation even across more complex domains.

An ally in security

This experiment with n8n confirmed to me how powerful automation can be even in the field cybersecurity.
A well-designed flow allows you to:

  • proactively detect vulnerabilities,
  • standardize security checks,
  • and above all, integrate AI into daily auditing processes.

For me it has become a little routine tool, useful for ensuring that my sites remain secure, up-to-date and compliant with best web security practices — without wasting time on repetitive checks.

Sample Security Report:

Website Security Audit Report

Security Report Summary

B
Site: https://paoloronco.it
Report Time: October 21, 2025 at 4:50 PM
Headers:
✗ Content Security Policy✓ Strict Transport Security✓ X-Content-Type-Options✓ X-Frame-Options✓ Referrer Policy✓ Permissions Policy
Critical Issues: 0
Warnings: 3

Warnings

3 warnings detected

See the Configuration Issues section below for more info.

Raw Headers

Header Status Value
dates present Tue, 21 Oct 2025 16:50:31 GMT
content-type present text/html; charset=UTF-8
transfer encoding present chunked
connection present close
report-to present {“group”:”cf-nel”,
“max_age”:604800,
“endpoints”:[{“url”:”https://a.nel.cloudflare.com/report/v4?s=1yQ1J5ssSLv1SkmE6Ryid4wgzrlR3AtZbA7JA8sOJg9lH6eilgyRhGgg7o%2FbvORNExuw8i3pZ%2BdOGjAgsb3cT5WNvNn0DM9sHhwJ%2BGo%3D”}]}
link present <https://paoloronco.it/wp-json/>;
 rel=”” style=”color: #3498DB;
text-decoration: none;
” target=”_blank”>https://api.w.org/”,
 <https://paoloronco.it/wp-json/wp/v2/pages/1251>;
 rel=”alternate”;
title=”JSON”;
type=”application/json”,
<https://paoloronco.it/>;
 rel=shortlink
server present cloudflare
vary present Accept-Encoding
x-powered-by present PHP/8.2.28
cf-cache-status present DYNAMIC
In the present {“report_to”:”cf-nel”,”success_fraction”:0.0,”max_age”:604800}
speculation-rules present “/cdn-cgi/speculation”
strict-transport-security present max-age=31536000; includeSubDomains; preload
content-security-policy-report-only present default-src 'self';
img-src 'self' data: https:;
style-src 'self' 'unsafe-inline' https:;
script-src 'self' 'unsafe-inline' https:;
font-src 'self' data: https:;
connect-src 'self' https:;
frame-ancestors 'self';
base-uri 'self';
form-action 'self';
upgrade-insecure-requests
permissions-policy present geolocation=(), microphone=(), camera=(), payment=(), usb=(), interest-cohort=()
referrer policy present strict-origin-when-cross-origin
x-content-type-options present nosniff
x-frame-options present SAMEORIGIN
x-xss-protection present 0
server timing present cfCacheStatus;desc=”DYNAMIC”, cfEdge;dur=5,cfOrigin;dur=115
cf-ray present 992241206e0ff615-MXP
alt-svc present h3=”:443″; ma=86400

Security Findings

Vulnerabilities

No vulnerabilities detected.

Configuration Issues

Strict Transport Security
This header is unknown. Value: max-age=31536000; includeSubDomains; preload.
Content-Security-Policy
This header is unknown. Value: default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-inline' https:; font-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests.
Permissions Policy
This header is unknown. Value: geolocation=(), microphone=(), camera=(), payment=(), usb=(), interest-cohort=().
Referrer Policy
This header is unknown. Value: strict-origin-when-cross-origin.
X-Content-Type-Options
This header is unknown. Value: nosniff.
X-Frame-Options
This header is unknown. Value: SAMEORIGIN.
X-XSS-Protection
This header is unknown. Value: 0.
Content Security Policy – 'unsafe-inline'‘
The Content Security Policy allows the use of `'unsafe-inline'` for both scripts and styles.
X-XSS-Protection
The X-XSS-Protection header is set to `0`, meaning that the browser's built-in XSS protection is disabled.

Additional Information

access-control-allow-origin This is a very lax CORS policy. Such a policy should only be used on a public CDN.
strict-transport-security HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
content-security-policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyze this policy in more detail. You can sign up for a free account on Report URI to collect reports about problems on your site.
permissions-policy Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
referrer policy Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
x-content-type-options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”.
x-frame-options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
report-to Report-To enables the Reporting API. This allows a website to collect reports from the browser about various errors that may occur. You can sign up for a free account on Report URI to collect these reports.
In the Network Error Logging is a new header that instructs the browser to send reports during various network or application errors. You can sign up for a free account on Report URI to collect these reports.
server Server value has been changed. Typically you will see values like “Microsoft-IIS/8.0” or “nginx 1.7.2”.

Implementation Guide

This report highlights security issues detected through client-side analysis. For a comprehensive security assessment, consider engaging a professional penetration tester.

To implement the fixes above:

  1. Work with your development team to address each issue in order of criticality
  2. Retest after implementing each fix
  3. Consider implementing a web application firewall for additional protection

This report was automatically generated and represents an automated assessment of publicly accessible aspects of your website. For a more comprehensive security assessment, consider engaging with a professional security consultant.

© 2025 Website Security Scanner | Generated on October 21, 2025 at 04:50 PM




This email was sent automatically with n8n

Never miss an article
SSubscribe to my newsletter!

📬 No spam, guaranteed.
Unsubscribe anytime

By subscribing you agree to our privacy policy

Leave a Reply

Your email address will not be published. Required fields are marked *