# PayLeaf Payments Security Assessment

Prepared by: Nishan Singh
Date: May 2026
Assessment type: Student learning assessment

## Executive Summary

This report documents a beginner-level, non-invasive web security assessment workflow for PayLeaf Payments. The focus was public-facing configuration review, HTTP security headers, TLS posture, and clear remediation notes.

The assessment is part of my cybersecurity learning portfolio and is written to show practical growth, documentation discipline, and responsible scope boundaries.

## Scope

- Public website review only
- HTTP response headers
- TLS and HTTPS behavior
- Browser-visible configuration
- No exploitation, authentication bypass, social engineering, or intrusive testing

## Methodology

1. Confirmed public-facing scope.
2. Reviewed visible HTTP security headers.
3. Checked TLS and HTTPS configuration signals.
4. Documented observations and grouped risks.
5. Wrote practical recommendations for hardening.

## Findings Overview

- Security header hardening opportunities
- TLS posture should be reviewed on a recurring schedule
- Public technology clues should be minimized where possible
- Assessment evidence should be kept repeatable

## Risk Ratings

- Configuration Exposure: Medium
- Transport Security: Low
- Operational Maturity: Informational

## Recommendations

- Implement a standard header baseline including CSP, HSTS, X-Content-Type-Options, and Referrer-Policy.
- Schedule recurring SSL/TLS reviews.
- Maintain a lightweight release security checklist.
- Keep evidence, timestamps, and tool output organized for repeatable assessments.

## Lessons Learned

- Scope clarity matters as much as tool output.
- Low-impact checks can still produce useful hardening recommendations.
- Findings should be understandable by technical and non-technical readers.
- Responsible documentation builds credibility over time.

## Tools Used

- Nikto
- Security headers review
- Browser DevTools
- SSL/TLS review tools