Audits

Intro

Audits are continuous crawlers that will monitor a website's tracking status based on built-in and custom requirements.

Creating an Audit

Start by switching to the Audits tab and select "Create Audit". Proceed by entering the URL of the website for this Audit to check and click "Create Audit".

You will be able to change and add URLs later as well as configure more details about the Audit.

Columbo will now perform an initial check of your Audit by checking the URL you entered — the first page of this Audit.

How an Audit works

The Audit runs continuously unless paused. It will keep a list of URLs that it found on previously checked pages. It will pick a random set of URLs every hour to check. The number depends on the daily limit of the Audit. On each of those pages it will perform tests and look for new URLs. Through this continuous approach Columbo will quickly know about the entire website and constantly monitor a relevant, random part of that website.

Columbo Audits run basically constantly. This is achieved by scanning roughly 1/24th of the daily limit every hour of the day. For example, an Audit with a daily limit of 250 Pages will scan ten to eleven pages 24 times a day at an hourly interval. Each hourly set of scanned pages is called a "Sweep".

A number of reasons may cause the Audit to either not reach the daily limit of pages or stop completely:

• It is paused manually
• The account is suspended or locked, for example due to an invoicing issue
• The account runs out of scan volume for the current period. The Audit will suspend its work and resume once new scans are available.
• The website has too few pages. Columbo will not check any URL more than once per 24 hours. That means if there are fewer pages in the entire website than the daily limit Columbo will have no pages to check at times.

General Settings

Audits offer a lot of options for customization. They are explained in detail here.

Name

Use a unique name to identify the Audit. Remember, by default the name is used for sorting in the Audit list.

Website URLs

This URL is used as a starting point for the Audit. You can also provide multiple URLs. These URLs are used as a starting point for the Audit: It will start by evaluating these pages and will follow all links from there to iteratively generate a list of all reachable pages.

You can switch to text mode for a more convenient way to enter many URLs.

Audits will only look for additional pages that have the same domain as at least one of the Website URLs.

Scan Limit

Columbo Audits run continuously by selecting a random sample of all known pages throughout the day. The Scan Limit determines how many pages are evaluated every day.

Auto-Enable new Tools and Accounts

This setting determines whether Columbo will activate Tools and Accounts it has not previously seen. When disabled, newly found Tools or Accounts are hidden from the Audit and have to be enabled manually in the next list

Tools

This list shows all Tools and Accounts that have been found on at least one page. They can be enabled and disabled to control which Tools and Accounts are monitored by the Audit. Columbo will always monitor every Tool and Account that is found, but will hide those that are disabled here.

Built-In Tests

Columbo provides a number of Built-In Tests that are evaluated automatically. They cover a range of security, privacy and usability topics and are constantly added to.

1. Content Security Policy: This Test evaluates whether the website uses a Content Security Policy by checking if either a content-security-policy HTTP header or an equivalent HTML meta tag exists.
2. Do Not Track: This Test evaluates whether the website respects Do Not Track by accessing the first URL of this Audit with the DNT header set and checking whether no tracking requests of any type are found.
3. IP Anonymization: This Test evaluates whether IP Anonymization is enabled on every page in every Google Analytics request.
4. Duplicate Pageview: This Test evaluates whether no page has more than one page-view or event without non-interaction flag per Google Analytics property ID. This affects bounce rate and other data in Google Analytics.
5. Website Redirects: This Test evaluates whether the website redirects to the homepage correctly. It will take the first URL of the Audit, either remove or add both https and www. and check whether the website correctly redirects by to the original URL. For example, given an Audit URL of https://www.peaksandpies.com, this Test will try to open http://peaksandpies.com and expect it to be redirected back to the initial URL.
6. HTTP Strict Transport Policy: This Test evaluates whether the website uses the HSTS security measure by checking for the existence and correct syntax of the strict-transport-security HTTP header.
7. HTTPS Everywhere: This Test evaluates whether all data is transferred via HTTPS, therefor ensuring a secure connection. This includes all assets loading on every single page. The test will fail if a single assets is loaded via insecure HTTP.
8. Referrer Policy: This Test evaluates whether the website uses a Referrer Policy by checking if either a referrer-policy HTTP header or an equivalent HTML meta tag exists.
9. Sensitive Data: This Test evaluates whether any website data contains possibly sensitive data, e.g. email addresses or first/last name.

Devices

This list allows you to select the device or devices that are used to in this Audit. This list includes both the three default devices for Desktop, Tablet and Mobile as well as all custom devices you have created.

When selecting multiple devices Columbo will pick a random device once every hour for each Sweep.

Cookies

You can configure the Cookies that will be set when Columbo opens the pages in the Audit. The domain is optional and if left empty Columbo will use the current page's domain as the cookie domain.

When the same Cookie is required in multiple Audits or Scenarios it is recommended to set them as Global Cookies.

Local Storage Items

Similar to Cookies you can also configure which Local Storage Items are set when Columbo opens the page. And like Cookies, Global Local Storage Items can be used to make items available to all Scenarios and Audits.

Pre-Scan Scenario

The selected Scenario will be run by Columbo before any page is scanned. Columbo will ignore any settings in the Scenario, including Cookies or Local Storage items. It will simply run the Scenario's steps in the browser before starting the page scans for the Audit.

This can be useful to bring the user/browser session to a certain state, for example log the user in to run the following Audit while logged in.

It is possible to build this Scenario without it starting with a Page step. In that case Columbo will use the first page from the Audit's current Sweep to run the Scenario on.

Authentication

In case the Website the Audit has to check is behind a BasicAuth you can enter the authentication details here.

Notice: This is not a way to use a Website's login feature! This only applies to BasicAuth authentication.

Tests

Columbo can be configured to run custom Tests on all or some of the pages that are evaluated in the Audit. Select "Add Test" to add a Test to this Audit. By default, a Test is evaluated on all Pages. Select "Add Condition" to configure a subset of pages to run the Test on.

The conditions to limit the pages where the Test is evaluated can be configured in two different ways:

1. URL: Include Pages to be tested by defining all or parts of the URL
2. Element Selector: Include Pages to be tested by defining a DOM element on the page via a CSS selector

URL Discovery

The way in which Columbo will discover, catalog, and maintain the pages in the Audit can be configured with a multitude of options.

Disable URL Discovery

When URL Discovery is disabled Columbo will only evaluate the page or pages that are configured in the Audit. Columbo will not look for other pages to add to the Audit.

URL Conditions

These conditions are used by Columbo to determine whether new URLs that are found on the evaluated pages are added to the Audit.

Include Subdomains

This setting controls if URLs that have a matching hostname but a different subdomain from the Audit's URLs are added to the Audit.

Keep URL Hash

This setting controls if the URL hash is kept or removed from the URLs.

Remove URL Query Parameters

This setting controls which query parameters are remove from the URLs before adding them to the Audit. By default, a number of common parameters, mostly used in the deprecated style of storing the session ID in the URL. This avoids Columbo including the same page multiple times due to different URL query parameters.

Remove Unseen URLs

This setting controls after how much time pages are removed from an Audit if the URL has not been seen on other pages.

Reset Pages

This setting controls after how much time the results of a page evaluation are reset since they should be considered outdated. Especially for websites with a lot of pages it can happen that are not re-evaluated for a long time. In that case resetting their results after some time ensures the Audit statistics are always based on recent results.

Options

Start / Pause

This will start or pause the entire Audit. Pausing it causes Columbo to scan no more pages and no notifications to be generated.

Edit

This will open the form to make changes to the Audit.

Duplicate

This allows you to create a copy of the current Audit

Invite Guests

Guests are users that have only limited access within an account. You can grant users access to just this Audit by inviting them as guests.

Change history

This will show you a list of changes and actions that have been made to this Audit in the past

Reset

This will completely reset the Audit and all results. All collected data will be removed and the Audit will start fresh.

Scan more pages

This will manually initiate a Sweep, which means about 1/24th of the daily limit will be scanned immediately.

Delete

This will permanently remove the Audit and all its results.