Open source
Parts of our compliance scanner are published as open-source Node.js tools. You can read the code, run them locally or drop them into your CI pipeline. The same code runs inside trustyourwebsite.nl — what we ship to production is what you see on GitHub.
Everything below is MIT-licensed, zero runtime dependencies and built to run on Node.js 18 or newer.
@trustyourwebsite/security-headers
Grades HSTS, Content-Security-Policy, X-Frame-Options and eight other response headers. Outputs a letter grade from A+ to F with specific remediation advice for each missing or misconfigured header. CI-friendly — set a minimum grade threshold and fail the build if a deploy regresses.
Powers the security-headers check in our scanner.
npx @trustyourwebsite/security-headers https://example.com- GitHub: trustyourwebsite/security-headers
- npm: @trustyourwebsite/security-headers
- License: MIT
@trustyourwebsite/dns-auth-check
Validates SPF, DKIM, DMARC, BIMI and MTA-STS configuration. Recursive SPF lookup counting (catches the ten-lookup limit before your mail breaks) and automatic DKIM selector discovery. No dependencies, no API keys, queries DNS directly.
Powers the email authentication check in our scanner.
npx @trustyourwebsite/dns-auth-check example.com- GitHub: trustyourwebsite/dns-auth-check
- npm: @trustyourwebsite/dns-auth-check
- License: MIT
@trustyourwebsite/cookie-consent-validator
Most cookie-consent scanners just check whether a banner exists. This one clicks "Reject All" and then verifies that tracking cookies and scripts actually stop. A banner that looks compliant but keeps tracking after a rejection click is worse than no banner at all, and this tool catches it.
Powers the consent-interaction check in our scanner — the finding we lead with in cold outbound, because no competitor we know of tests it.
- GitHub: trustyourwebsite/cookie-consent-validator
- License: MIT
Why we open-source these
We sell an automated compliance scanner. The hard part of compliance isn't the list of rules, it's applying them correctly against a live website. Publishing the check implementations does three things:
- Customers can verify what we're actually testing rather than take our word for it.
- Anyone running a CI pipeline can use these before we ever talk to them.
- Bug reports and feature requests against the open-source repos feed directly back into the scanner.
We're not trying to build an open-source business. These tools exist because transparency about what a compliance scanner measures is the difference between a trustworthy scanner and a box-ticking one.
Get your full scan
The three tools above cover three checks. The full scanner runs 38+ checks across GDPR, cookie consent, image copyright, web accessibility (EAA), security, DNS and legal-page completeness.