Privacy

Security Audit Report — 6 July 2026

Weekly SpeyBooks Security Test Harness report. Grade: A+ (97%). 21/22 modules passing. Automated infrastructure security audit.

William Murray · 6 July 2026 · 3 min read
Security audit grade A+, 21 of 22 modules passing, score 97%

SpeyBooks measures its production infrastructure daily with an automated Security Test Harness and publishes this report weekly. This report covers the run executed on 6 July 2026.

Summary

MetricResult
GradeA+
Score97%
Modules passed21 / 22
Failures0
Warnings1

21 modules passed. 1 warning(s) noted.

Module Results

ModuleStatusDetail
fw-nginx✓ PASSnginx config valid, security headers present
fw-ports✓ PASSonly ports 22/80/443 listening
fw-headers✓ PASSall security headers present on all four domains
sc-ssh✓ PASSSSH hardened (root=without-password, passwordauth=no, x11=no)
sc-postgres✓ PASSpostgres bound to localhost only
sc-env✓ PASS.env files not world-readable
sc-tls✓ PASSTLS 1.0 and 1.1 rejected
pm-os! WARN10 pending security updates
pm-node✓ PASSNode.js v22.23.1 (LTS, patch-current)
pm-postgres✓ PASSPostgreSQL 17.10 (supported)
pm-npm✓ PASSno high/critical production vulnerabilities (api+web)
ac-rls✓ PASS46 tenant tables: organisation_id + RLS enabled + FORCEd
ac-bypassrls✓ PASSBYPASSRLS held only by allow-list (postgres speybooks_admin speybooks_anchor speybooks_webhook speybooks_purge); tenant role clean; anchor read-only; webhook and purge grants confined
ac-fail2ban✓ PASSall 5 fail2ban jails active
ac-ratelimits✓ PASSnginx rate limiting configured (1 directives)
ac-authaudit✓ PASSauth_audit_log active (148 entries)
ml-rootkit✓ PASSno new SUID/SGID binaries (18 known)
ml-services✓ PASSonly expected services running
op-ssl✓ PASSall SpeyBooks SSL certs valid >30 days
op-backups✓ PASSlatest backup 1h old, verified
op-disk✓ PASSdisk usage 64%
op-s3sync✓ PASSlast S3 upload 1h ago, verified

What We Test

The Security Test Harness covers 22 modules across six areas:

Firewall and network: nginx configuration validity, open port exposure, and live security header verification across all SpeyBooks domains.

Secrets and configuration: SSH hardening (root login, password auth, X11), PostgreSQL binding, environment file permissions, and TLS version enforcement.

Patch management: operating system update status, Node.js LTS verification, PostgreSQL version, and production npm vulnerability scanning.

Access control: Row-Level Security coverage across every tenant table (organisation_id presence, RLS enabled, FORCE enforced), fail2ban jail status, nginx rate limiting, and auth audit log activity.

Malware and services: SUID/SGID binary baseline comparison and unexpected service detection.

Operations: SSL certificate expiry across all domains, local backup recency, disk usage, and S3 sync verification.

Infrastructure

SpeyBooks runs on Hetzner (Germany, EU) with encrypted database backups replicated to AWS London (eu-west-2, UK). Data never leaves UK or EU jurisdiction.


This report is generated automatically by the SpeyBooks Security Test Harness, which runs on the production server, and is published through a fixed pipeline without human editing. Operational details that would aid reconnaissance are mechanically redacted at the publication boundary; the full-fidelity report stays with the operator.

Early access for developers.

SpeyBooks is in soft launch. We're inviting a small group of developers to help shape API-first accounting for the UK.

90-day free trial. Proper double-entry. No tracking.