Title: CASA: a comprehensive automatic web servers audit

Authors: Assadarat Khurat; Dolvara Gunatilaka; Wasutum Kethom

Addresses: Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand ' Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand ' Faculty of Information and Communication Technology, Mahidol University, Nakhon Pathom, Thailand

Abstract: Web servers play a crucial role in web technology. Insufficient protection can lead to serious risks, such as sensitive data exposure. To reduce risk of successful attacks, regular web server configuration audits are conducted. However, manual auditing is often tedious and error-prone, as it requires running commands to check configurations. To enhance this process, we introduce CASA, an automated audit tool designed for four widely used web servers: Nginx, Apache HTTP, Apache Tomcat, and Microsoft IIS. CASA evaluates configurations against industry standard CIS benchmarks, identifies non-compliant settings, and generates HTML audit reports. Our analysis shows that CASA significantly enhances automation in security auditing. We validate its effectiveness by comparing results with manual audits and analysing default and publicly available configurations from GitHub. The findings indicate low compliance with security benchmarks, with less than half of configurations meeting recommended standards, exposing critical risks in unmodified deployments.

Keywords: automatic audit; web server audit; CIS benchmarks; audit tool; security analysis.

DOI: 10.1504/IJICS.2026.150538

International Journal of Information and Computer Security, 2026 Vol.29 No.1, pp.87 - 111

Received: 03 Mar 2025
Accepted: 24 Aug 2025
Published online: 16 Dec 2025 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article