Contact person: Business Client

Phone:Show

Email:Show

Location: Delhi, India

Budget: Recommended by industry experts

Time to start: As soon as possible

Project description:
"We need an experienced web dev / security engineer to perform a full functional & security audit of [login to view URL] (frontend, backend & admin), fix all major/minor bugs, make the site security-compliant against OWASP Top 10, ensure the admin panel is stable and secure, and deliver documentation, test reports, and a clear handover. candidate must propose how they'll handle scanning/testing (staging credentials, temporary whitelist, or working with website admin).

[login to view URL]

What you will deliver (minimum scope):

Phase 1 — Discovery & audit (deliverable: Audit Report)

Full functional audit (desktop + mobile): broken features, JS errors, API failures, login flows, forms validations, file uploads, payment flows, code errors, best practices in coding, (website, admin, backend)

Security audit: OWASP Top 10 checks (XSS, SQLi, CSRF, auth/session issues, insecure direct object refs, broken access controls).

Dependency & supply-chain checks (outdated libs/plugins/third-party scripts).

Infrastructure review: TLS/SSL configuration, HSTS, CDN & caching, backup, hosting hardening, firewall/WAF.

Admin panel assessment: RBAC, password reset, session expiry, logging/auditing, backup/export, user management, broken features, errors if any

Performance & accessibility quick scan (Lighthouse summary).

Risk rating (P0/P1/P2) for each finding and recommended remediation steps + estimated time required.

Phase 2 — P0/P1 fixes (deliverable: Code + patch list + test evidence)

Fix all critical (P0) and major (P1) functional and security issues listed in the audit.

Regression testing and screenshots/video proof for fixed items.

Provide code commits (to a provided repo) or clear diff/patches with instructions.

Phase 3 — Security hardening & QA (deliverable: Final report + test suite)

Implement hardening: secure headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), secure cookie flags (HttpOnly, Secure, SameSite), CSRF tokens, input validation, prepared statements/ORM fixes, file upload validation, form validations, rate limiting/brute-force protection, account lockouts/MFA for admin, cloudflare protections

Implement/advise WAF rules or recommend managed WAF/hosting changes.

Update dependencies and demonstrate fixed CVEs or provide compensating controls if upgrade is not feasible.

Provide automated scans (Snyk/Dependency-Check/OWASP ZAP or similar) and a penetration test summary.

Deliver a test plan & proof: functional tests, security scan reports, and 3rd-party pentest/scan evidence where possible.

Phase 4 — Handover & monitoring (deliverable: Handover doc + optional maintenance)

Full technical documentation (deployment steps, rollback, backup schedule).

Guides for admin users (how to manage users, manage content on website, rotate keys, apply updates).

Optional: setup basic uptime & error monitoring (e.g., Sentry/Prometheus or any recommended SaaS), and a one-month support SLA (optional, priced separately).

Requirements / Required skills:

Strong full-stack web experience (HTML, PHP/Laravel, related stack or the stack indicated in your proposal).

Proven security auditing experience and familiarity with OWASP Top 10 and common mitigations.

Experience fixing/administering admin dashboards, RBAC, authentication flows, session management.

Dependency & CI/CD familiarity (Git, GitHub/GitLab/Bitbucket); comfortable producing PRs/patches.

Experience with penetration testing tools (ZAP, Burp, Nessus, etc.) and dependency scanners (Snyk, npm audit, etc.).

Good English and clear documentation skills.

Able to start with a quick audit (deliver an initial P0 list) within your proposed timeframe after access is granted.

How to apply / required proposal content:

Short intro and 1–3 relevant case studies (links preferred).

Short plan: how you will approach the whole work from start to finish with time required.

Rough fixed price for whole = Audit + P0 fixes and Full remediation + hardening + data updation if any.

Proposed milestone breakdown and acceptance criteria for each milestone.

Availability and earliest start (do not assume access).

Contactable references or GitHub profile with commit history.

Evaluation criteria / how I’ll pick:

Relevant security + web dev experience (strong weight).

Clear, pragmatic plan to run scans despite bot protection (staging or temporary whitelist).

Concrete deliverables, work samples, and reasonable cost.

Good communication & documentation approach.

Test / pre-qualification task (short):

Audit the website and find out real problems and vulnerabilities, security issues, etc

Access & security:

I will provide staging credentials, admin access, and Git repo access to shortlisted candidates only. You must sign an NDA (I’ll provide) before access. All actions must be performed in staging first; production changes require approval and scheduled maintenance window.

Acceptance criteria (what “done” looks like)

All P0 , P1 items closed items either closed, p2 documented.

Website fully functional without any broken link or vulnerability, no data misplacement, or any error,

Admin panel is fully functional: login, password reset, RBAC working as per defined roles, activity logs present, all features in working condition.

No vulnerabilities found in final scans; all low issues documented with remediation timelines.

Deliverables: final audit report, secure-configuration checklist, code patches or PRs, test evidence, and documentation/handover.

Handover meeting and a 7-day support window to address regressions." (client-provided description)