<![CDATA[The Final Project Information System (SITASI) website plays a critical role in supporting academic administrative processes at the Faculty of Science and Technology, UIN Sultan Syarif Kasim Riau. This study aims to evaluate the website’s security level following recent maintenance using penetration testing, conducted with the OWASP Zed Attack Proxy (ZAP) tool. The testing revealed eight vulnerabilities, including two classified as medium risk, four as low risk, and two informational. The medium-risk issues involved the absence of an Anti-CSRF token and the lack of a Content Security Policy (CSP), both of which could expose the system to attacks such as CSRF and XSS. The low-risk findings included loading JavaScript from third-party domains, information disclosure via X-Powered-By and Server headers, and the absence of HTTP Strict Transport Security (HSTS). The two informational findings involved suspicious comments in the code and improper Cache-Control settings. Remediation actions were implemented based on OWASP security best practices, including the integration of CSRF tokens, configuration of CSP and HSTS headers, and removal of sensitive information from server responses. A follow-up evaluation confirmed that all identified risks had been successfully mitigated. This study highlights that penetration testing combined with standard-based mitigation is effective in enhancing web application security resilience, particularly within academic environments.]]>
