Contact person: Business Client

Phone:Show

Email:Show

Location: Delhi, India

Budget: Recommended by industry experts

Time to start: As soon as possible

Project description:
"We need an experienced web dev / security engineer to perform a full functional & security audit of [login to view URL] (production & admin), fix all critical/major bugs, make the site security-compliant against OWASP Top 10, ensure the admin panel is stable and secure, and deliver documentation, test reports, and a clear handover. The site currently shows a bot verification interstitial; candidate must propose how they'll handle scanning/testing (staging credentials, temporary whitelist, or working with website admin).

[login to view URL]

What you will deliver (minimum scope):

Phase 1 — Discovery & audit (deliverable: Audit Report)

Full functional audit (desktop + mobile): broken features, JS errors, API failures, login flows, forms, file uploads, payment flows (if any).

Security audit: OWASP Top 10 checks (XSS, SQLi, CSRF, auth/session issues, insecure direct object refs, broken access controls).

Dependency & supply-chain checks (outdated libs/plugins/third-party scripts).

Infrastructure review: TLS/SSL configuration, HSTS, CDN & caching, backup, hosting hardening, firewall/WAF.

Admin panel assessment: RBAC, password reset, session expiry, logging/auditing, backup/export, user management.

Performance & accessibility quick scan (Lighthouse summary).

Risk rating (P0/P1/P2) for each finding and recommended remediation steps + estimated effort.

Phase 2 — P0/P1 fixes (deliverable: Code + patch list + test evidence)

Fix all critical (P0) and major (P1) functional and security issues listed in the audit.

Regression testing and screenshots/video proof for fixed items.

Provide code commits (to a provided repo) or clear diff/patches with instructions.

Phase 3 — Security hardening & QA (deliverable: Final report + test suite)

Implement hardening: secure headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), secure cookie flags (HttpOnly, Secure, SameSite), CSRF tokens, input validation, prepared statements/ORM fixes, file upload validation, rate limiting/brute-force protection, account lockouts/MFA for admin.

Implement/advise WAF rules or recommend managed WAF/hosting changes.

Update dependencies and demonstrate fixed CVEs or provide compensating controls if upgrade is not feasible.

Provide automated scans (Snyk/Dependency-Check/OWASP ZAP or similar) and a penetration test summary.

Deliver a test plan & proof: functional tests, security scan reports, and 3rd-party pentest/scan evidence where possible.

Phase 4 — Handover & monitoring (deliverable: Handover doc + optional maintenance)

Full technical documentation (deployment steps, rollback, backup schedule).

Guides for admin users (how to manage users, rotate keys, apply updates).

Optional: setup basic uptime & error monitoring (e.g., Sentry/Prometheus or any recommended SaaS), and a one-month support SLA (optional, priced separately).

Requirements / Required skills:

Strong full-stack web experience (Node/Express, PHP/Laravel, Django, or the stack indicated in your proposal).

Proven security auditing experience and familiarity with OWASP Top 10 and common mitigations.

Experience fixing/administering admin dashboards, RBAC, authentication flows, session management.

Dependency & CI/CD familiarity (Git, GitHub/GitLab/Bitbucket); comfortable producing PRs/patches.

Experience with penetration testing tools (ZAP, Burp, Nessus, etc.) and dependency scanners (Snyk, npm audit, etc.).

Good English and clear documentation skills.

Able to start with a quick audit (deliver an initial P0 list) within your proposed timeframe after access is granted.

How to apply / required proposal content:

Short intro and 1–3 relevant case studies (links preferred).

Short plan: how you will approach the bot-verification issue for scanning (staging access vs whitelisting).

Rough fixed price for (A) Audit + P0 fixes and (B) Full remediation + hardening. If hourly, provide rate and estimated hours per phase.

Proposed milestone breakdown and acceptance criteria for each milestone.

Availability and earliest start (do not assume access).

Contactable references or GitHub profile with commit history.

Evaluation criteria / how I’ll pick:

Relevant security + web dev experience (strong weight).

Clear, pragmatic plan to run scans despite bot protection (staging or temporary whitelist).

Concrete deliverables, work samples, and reasonable cost.

Good communication & documentation approach.

Test / pre-qualification task (short):

Provide a 1-page sample “P0 findings” checklist for a site that shows a bot interstitial and a sample remediation you would do for a broken login flow and session handling. (This should be included in the proposal; short, actionable items only.)

Access & security:

I will provide staging credentials, admin access, and Git repo access to shortlisted candidates only. You must sign an NDA (I’ll provide) before access. All actions must be performed in staging first; production changes require approval and scheduled maintenance window.

Acceptance criteria (what “done” looks like)

All P0 items closed and P1 items either closed or have documented compensating controls & scheduled plan.

Admin panel is fully functional: login, password reset, RBAC working as per defined roles, activity logs present.

No high/critical vulnerabilities found in final scans; all medium/low issues documented with remediation timelines.

Deliverables: final audit report, secure-configuration checklist, code patches or PRs, test evidence, and documentation/handover.

Handover meeting and a 7-day support window to address regressions." (client-provided description)