Compliance Audits
Security header evidence for compliance frameworks
Map your website's security scan results to SOC 2, PCI DSS, and GDPR controls. Generate audit-ready PDF reports that demonstrate your security posture to auditors.
Map results to compliance controls
See how each security header maps to specific compliance controls. Results align with SOC 2 Common Criteria, PCI DSS requirements, and GDPR Article 32, making it easy to identify gaps.
Compliance Mapping
| Control | SOC 2 | PCI DSS | GDPR |
|---|---|---|---|
| HSTS | CC6.1 | 4.1 | Art. 32 |
| CSP | CC6.1 | 6.5.10 | Art. 32 |
| X-Frame-Options | CC6.1 | 6.5.10 | |
| Cookie Security | CC6.5 | 3.6.1 | Art. 25 |
| X-Content-Type-Options | CC6.6 | 6.5 | Art. 32 |
PDF reports as audit evidence
Generate a comprehensive report that auditors can review independently. Includes scan date, overall score, detailed findings, and remediation steps. Attach directly to audit documentation.
PDF Report
Security Assessment Report
Report Sections
Track improvements over time
Run periodic scans to document security progress, or enable daily monitoring for a continuous audit trail. Your score history shows changes over time — useful for demonstrating remediation to auditors and showing that controls stay in place between reviews.
Score History
58
Jan
72
Feb
81
Mar
88
Apr
How it works
Scan your website
Enter your URL for a comprehensive security assessment against compliance standards.
Review compliance mapping
See how your controls align with SOC 2, PCI DSS, and GDPR requirements.
Export audit evidence
Download a PDF report or share results with your compliance team.
Frequently asked questions
Which compliance frameworks does this help with?
SiteSecurityScore scans align with multiple compliance frameworks. For SOC 2, the results map to Common Criteria (CC6.1, CC6.5, CC6.6) covering logical access and system operations. For PCI DSS, results address requirements 2.2.4, 4.1, and 6.5 related to secure configurations and data protection. For GDPR, the security measures evaluated support Article 32 (security of processing) and Article 25 (data protection by design).
Is the scan report accepted as audit evidence?
The PDF report provides supporting evidence for your audit documentation. While it does not replace a formal penetration test or SOC 2 Type II audit, it demonstrates specific technical controls you have implemented. Many organizations include it alongside other security documentation to show continuous monitoring of their web application security posture.
How do I demonstrate security improvements to auditors?
Run periodic scans and use your scan history to show progression from baseline to current score. For a stronger audit trail, automated daily monitoring records a timestamped snapshot of your security posture every day, giving you a continuous record of which attributes were in place on any given date. This is significantly more compelling to auditors than a handful of manual scans.
What security headers are required for PCI DSS compliance?
PCI DSS does not mandate specific HTTP headers by name, but several requirements are directly supported by security headers. Requirement 4.1 (encrypt data in transit) is addressed by HSTS. Requirement 6.5.10 (broken authentication and session management) is supported by Secure and HttpOnly cookie flags. Requirements 6.5.7 (XSS) and 6.5.9 (CSRF) benefit from CSP, X-Content-Type-Options, and X-Frame-Options headers.
Related use cases
Start your compliance check
Scan your website and map the results to your compliance framework. Free, instant results.
Scan your site free