SpeyBooks runs a weekly Security Test Harness across its production infrastructure. This report covers the run executed on 5 June 2026.
Summary
| Metric | Result |
|---|---|
| Grade | A |
| Score | 100% |
| Modules passed | 21 / 21 |
| Failures | 0 |
| Warnings | 0 |
All 21 modules passed with no failures or warnings.
Module Results
| Module | Status | Detail |
|---|---|---|
| fw-nginx | ✓ PASS | nginx config valid, security headers present |
| fw-ports | ✓ PASS | only ports 22/80/443 listening |
| fw-headers | ✓ PASS | all security headers present on all four domains |
| sc-ssh | ✓ PASS | SSH hardened (root=without-password, passwordauth=no, x11=no) |
| sc-postgres | ✓ PASS | postgres bound to localhost only |
| sc-env | ✓ PASS | .env files not world-readable |
| sc-tls | ✓ PASS | TLS 1.0 and 1.1 rejected |
| pm-os | ✓ PASS | unattended-upgrades active, no pending security updates |
| pm-node | ✓ PASS | Node.js v22.22.2 (LTS) |
| pm-postgres | ✓ PASS | PostgreSQL 17.10 (supported) |
| pm-npm | ✓ PASS | no high/critical production vulnerabilities (api+web) |
| ac-rls | ✓ PASS | 40 tenant tables: organisation_id + RLS enabled + FORCEd |
| ac-fail2ban | ✓ PASS | all 5 fail2ban jails active |
| ac-ratelimits | ✓ PASS | nginx rate limiting configured (1 directives) |
| ac-authaudit | ✓ PASS | auth_audit_log active (99 entries) |
| ml-rootkit | ✓ PASS | no new SUID/SGID binaries (18 known) |
| ml-services | ✓ PASS | only expected services running |
| op-ssl | ✓ PASS | all SpeyBooks SSL certs valid >30 days |
| op-backups | ✓ PASS | latest backup 7h old, verified |
| op-disk | ✓ PASS | disk usage 50% |
| op-s3sync | ✓ PASS | last S3 upload 7h ago, verified |
What We Test
The Security Test Harness covers 21 modules across six areas:
Firewall and network: nginx configuration validity, open port exposure, and live security header verification across all four SpeyBooks domains.
Secrets and configuration: SSH hardening (root login, password auth, X11), PostgreSQL binding, environment file permissions, and TLS version enforcement.
Patch management: operating system update status, Node.js LTS verification, PostgreSQL version, and production npm vulnerability scanning.
Access control: Row-Level Security coverage across all 40 tenant tables (organisation_id presence, RLS enabled, FORCE enforced), fail2ban jail status, nginx rate limiting, and auth audit log activity.
Malware and services: SUID/SGID binary baseline comparison and unexpected service detection.
Operations: SSL certificate expiry across all domains, local backup recency, disk usage, and S3 sync verification.
Infrastructure
SpeyBooks runs on Hetzner (Germany, EU) with encrypted database backups replicated to AWS London (eu-west-2, UK). Data never leaves UK or EU jurisdiction.
This report is generated automatically by the SpeyBooks Security Test Harness, which runs on the production server, and is published through a fixed pipeline without human editing. Operational details that would aid reconnaissance are mechanically redacted at the publication boundary; the full-fidelity report stays with the operator.