SaaS Sunday: Building a high-Performance Security Header Scanner on a Budget in one day

Learn how we built HeaderScan.com, a blazing-fast security header scanner using Docker, Cloudflare Free Tier, and NGINX—all for just €3.79/month. Best of all, we got it done in a day thanks to AI.

vincentcox

Updated on November 18, 2024

Key highlights

We’re excited to announce HeaderScan.com, a lightning-fast security header analysis tool. We built this service to help developers and security professionals quickly assess their website’s security headers online while demonstrating that high-performance, secure applications don’t require expensive infrastructure.

Use of AI: Claude AI significantly reduced development time by creating the front-end and assisting with the backend. This allowed us to do this project in one day

Cost-effective security & caching implementation: Leveraged Cloudflare free tier features including WAF, Zero Trust, and Tiered Cache for enterprise-grade protection and speed

Scalable architecture: Complete solution running on €3.79/month VPS with containerized workers ready for traffic growth.

🌎 Goal of Headerscan.com

We had the following requirements in mind before we started this project:

Real-time security header scanning with detailed analysis
Comprehensive security scoring and recommendations
Fast API response times through optimized request handling
Detailed security recommendations with practical examples
Responsive design that works on all devices

🔧 Technical Stack

Frontend: Modern CSS (Tailwind) and Javascript, generated by AI
Backend: Dockerized Python worker running Flask + Gunicorn (threaded) for concurrent processing and scaling
Server: NGINX as a fast and memory efficient webserver
Logging: Telegraf for collecting metrics and logs

🤖 AI Frontend Development

One of the most interesting aspects of building HeaderScan.com was our approach to frontend development. We leveraged Claude.ai (3.5 Sonnet), an advanced language model, to accelerate the development process. Here’s how we did it:

Provided Claude with our API response format as a reference
Use “prompt engineering”, which is a fancy term for writing out in detail what your desired output is and what techniques you need to let it use. For example which programming languages or frameworks you would like to use, and to let it include the proper SEO tags for better search engine results.
Test and verify the AI-generated code
Made adjustments because AI is known to hallucinate and provide wrong code and content, even though it “looks right”

This allowed us to get the frontend right in under an hour.

👨‍💻 Backend Development

There are several CLI tools available to check security headers of websites, for example shcheck and humble. Both have a License which allows modifications and general use. We decided to go for shcheck, because it seemed the easiest to port. We modified the code to have it run an API webserver. The Dockerfile was also adjusted to make it faster.
We used a pinch of AI here and there but that was fairly limited. It seems that for more complex tasks and efficient tasks, AI is not (yet) advanced and too hindered by hallucinations. Some say that those hallucinations are inherent to the way LLM works and therefore will continue to be a problem in the future.

Anyway, the main take-aways of coding it were:

Gunicorn with threaded Flask server for concurrent processing
Docker containerization for consistent performance across environments and having room for scaling in the future
Python code for fast development (idea->reality)

☁️ Cloudflare Security & Speed Optimization

We leveraged Cloudflare’s free tier to its fullest potential, proving that powerful performance features don’t always need to be costly and can even be free:

Cache Rules for faster content delivery and reduced origin load. Here is how we did it.
Zero Trust Tunnel for enhanced security and direct origin protection. We installed a tunnel on the server, added an application to configure access rules and exposed the web endpoint.
Custom WAF rules to block malicious traffic and automated attacks. Here is how we did it.
Rate limiting to prevent abuse and ensure service stability. Because a website is scanned, it can – if no limits are applied – be abused to DoS a website, bringing us in trouble. Here is how we used this in our setup.
Tiered Cache for optimal content distribution and reduced latency. Here is how.

All these features combined gives us a secure and blazing fast application.

Our optimization efforts resulted in fast load times:

🇪🇺 Europe: ~292ms (Pingdom Report)
🇺🇸 North America: ~345ms (Pingdom Report)

💰 Cost-Effective Infrastructure

The entire setup costs €3.79/month, which is all for the VPS cost. In fact, this is even overkill because our CPU usage is max 3% over time.

This setup could run on an old Raspberry Pi at home, however for production this is obviously not recommended due to the downtimes at residential connections and the risk of corrupted SD cards. This demonstrates that high performance doesn’t always require expensive infrastructure. The combination of efficient code, smart caching, and modern CDN features can deliver exceptional performance on modest hardware.

Try It Out

Visit HeaderScan.com to analyze your website’s security headers for free. The service is fast, comprehensive, and doesn’t require registration.

#WebSecurity #DevOps #CloudInfrastructure #WebPerformance #AI

Success Story: How a Pentest Protected a Logistics Company from Ransomware