Bottom line: Anyone can inspect your SaaS from the public internet without logging in: response headers, TLS configuration, cookie flags, open admin paths, and forgotten subdomains. You do not need a breach story to justify a baseline. You need a short list of what is visible and wrong, then a fixed path to fix it.
For small US SaaS and product teams. External view first — not a red-team novel.
Primary path: security work from $1,500 → omen-it.tech/us · GEO is separate ($900) if AI visibility is a different problem.
What anyone can see without logging in
An unauthenticated observer can usually collect:
| Surface | Examples |
|---|---|
| HTTP response headers | Missing HSTS, weak CSP, verbose server tokens |
| Cookie attributes | Missing Secure, HttpOnly, SameSite on session cookies |
| TLS | Protocol/cipher posture, cert chain, mixed content |
| Subdomains | staging., dev., old., admin panels left public |
| Auth entry points | /login, /admin, vendor default paths, password-reset flows |
| Error and debug leakage | Stack traces, framework defaults, open API docs on prod |
| Third-party scripts | Tag managers, chat, analytics — attack surface and CSP tension |
None of this requires stealing credentials. It is recon, and it is how opportunistic scanners prioritize targets.
This checklist is about that outside view. It is not a full penetration test, not malware cleanup, and not a SOC retainer.
Headers that matter first (HSTS, CSP, cookies)
Prioritize high-leverage, widely understood controls. Exact values depend on your app; the point is presence and intentionality, not cargo-cult copy-paste.
HSTS (HTTP Strict Transport Security)
- Force HTTPS for the apex and relevant subdomains when you are ready.
- Misconfigured HSTS with broken HTTPS on a subdomain causes real outages — inventory hosts first.
- Preload is optional and stricter; do not enable casually.
CSP (Content Security Policy)
- Reduces impact of XSS by constraining script/style sources.
- Start with a report-only policy if you need to learn breakage, then enforce.
- Inline scripts and reckless
unsafe-inlineweaken the point; third-party tags often force tradeoffs — document them.
Cookie flags (app session)
Secureon HTTPS sites.HttpOnlyfor session tokens not needed by JavaScript.SameSiteappropriate to your auth flows (Lax/Strict/None+Secure as required).- Separate cookie design for marketing vs session when possible.
Other useful headers (baseline)
X-Content-Type-Options: nosniffReferrer-Policywith a conscious choicePermissions-Policyto disable unused browser features- Frame protections (
frame-ancestorsin CSP or legacyX-Frame-Optionswhere still relevant) - Avoid advertising exact server/version tokens when you gain nothing by it
Quick self-check
- Production responses over HTTPS only for app traffic
- HSTS present on the main app host (and policy matches subdomain reality)
- CSP exists (even if report-only mid-migration) and is not an empty placebo
- Session cookies set Secure + HttpOnly (+ SameSite deliberate)
- No obvious
Server: framework/x.y.zbragging you do not need - Staging not indexed and not using production cookie scope carelessly
Failing several items is common on early SaaS. It is also a clean audit scope.
TLS and subdomain sprawl
Headers do not save a messy edge.
TLS
- Valid certificates on every hostname users or OAuth callbacks hit.
- Redirect HTTP → HTTPS without open redirect toys.
- Avoid long-lived mixed content (HTTP assets on HTTPS pages).
- Watch expiration on forgotten hosts (admin, docs, status).
Subdomain sprawl
Small teams accumulate:
staging.product.comwith weak auth or default credentials- Old Heroku/Vercel/Cloud Run CNAMEs pointing at abandoned apps
- Customer-specific or demo hosts left public
- Third-party services on your domain with different security posture
Inventory DNS. For each hostname: still needed? who owns it? auth? headers? cert?
Sprawl is where “we’re fine on app.product.com” becomes “attacker used beta.product.com.”
What an external audit report includes
OMEN’s security path for this class of problem is outside-in and fixed-price oriented — not an open-ended retainer by default.
Expect a decision-ready report shaped like:
- Scope — hosts and environments agreed in writing (prod first; staging if exposed).
- External findings — headers, TLS, cookies, obvious admin/auth exposure, subdomain issues visible without privileged access.
- Severity and exploitability in plain language — what a stranger can do with each finding (recon vs practical abuse path), without theatrical CVSS cosplay for its own sake.
- Prioritized remediation — what to fix first (exposure and auth edges before cosmetic header polish).
- Retest boundary — what “done” means for the engagement; deeper pen tests or code review only if ordered separately.
Public floor: from $1,500. Complex multi-app or multi-cloud estates are quoted, not forced into a single SKU. Builds/hardening implementation beyond the audit can be separate.
What you should not expect from a baseline external pass: zero-day research, social engineering, physical security, or a promise that “you are unhackable.”
Fixed price — no retainer required
| Product | Public floor | Use when |
|---|---|---|
| Security audit / hardening path | from $1,500 | Headers, TLS, exposure, external hygiene |
| GEO audit | $900 | AI/answer visibility for local/service GTM — different problem |
| Build / implementation | from $5,000 | You want OMEN to implement fixes at product speed |
Start security-only if the question is exposure. Start GEO-only if the question is ChatGPT/AI Overview citation for a local service business. Combine only when both are real: visibility work that funnels strangers into a soft login is incomplete risk management.
Book or describe the case: omen-it.tech/us.
FAQ
Is this a penetration test?
It is an external, checklist-driven audit of visible posture. Full offensive pen tests are broader and priced/scoped separately when you need them.
Will fixing headers stop all attacks?
No. Headers and TLS hygiene raise the floor and remove easy scanner wins. App logic bugs and stolen credentials remain separate classes of risk.
Do we need to give you production SSH?
Often not for an outside-in pass. Host list and permission to test agreed targets matter. Privileged access only when the SOW requires validation you cannot do externally.
Can we bundle this with GEO?
Yes, as two products: security from $1,500 + GEO $900. Different methods, different reports. See also the home-services note on forms: Home Services AI Search Checklist.
Next step
If production headers, cookies, TLS, or subdomains would embarrass you in a customer security questionnaire:
Security path — from $1,500 · describe case or chat → omen-it.tech/us
Cold, fixed scope. No retainer required to start.
Related reading
- Home Services AI Search Checklist — dual CTA pattern (GEO + security note for forms)
- Hub / pricing / contact: omen-it.tech/us
- GEO cluster only if dual need: Why Your Business Does Not Show Up in ChatGPT · What a GEO Audit Includes