Is any recommended security validation/fuzzing tool which I can use to ensure caddy’s overall security hasn’t degraded? As you can see, I plan to use caddy security to handle OAuth and, at the same time to trigger CGI on authenticated callback, but some of the plugins haven’t been touched in a year I want to make sure it’s reasonably patched up.
Simply including plugins doesn’t inherently impact security, unless an attacker has another exploit that allows them to manipulate your Caddy server’s config which would let them enable those plugins and do whatever.
Plugins are only active if they’re configured, and if they’re invoked via the interfaces they provide an implementation for. See Module Namespaces — Caddy Documentation for the different integration points Caddy has for plugins.
If you’re worried about the security of a particular plugin, you’d probably want to read the code yourself to see what you can find, or hire a security auditing company to review it.