Website Security Audit Checklist: 40 Checks You Can Run Today

Running a security audit on your website doesn't require a penetration tester or a six-figure budget. Most vulnerabilities come from misconfiguration, not sophisticated attacks. This checklist covers 40 checks you can run yourself — organized by category so you can work through them systematically.

How to Use This Checklist

Work through each section in order. For each item, check whether your site passes or fails. If it fails, follow the fix instructions. Most items take under 5 minutes to resolve. If you want to automate this entire process, run a free SecScanner audit that covers all 40+ checks instantly.

TLS / HTTPS (8 Checks)

1. HTTPS enabled: Your site should load over https://. If it doesn't, get a free certificate from Let's Encrypt. This is non-negotiable in 2026.
2. HTTP redirects to HTTPS: Visit http://yoursite.com — it should 301-redirect to https://. If it serves content over HTTP, users and search engines can access the insecure version.
3. TLS 1.2+ only: Disable TLS 1.0 and 1.1. These protocols have known vulnerabilities. Use openssl s_client -connect yoursite.com:443 to check supported versions.
4. Certificate not expired: Check your certificate expiry date. Set up monitoring to alert you 30 days before expiration. Let's Encrypt certificates last 90 days — automate renewal.
5. Certificate chain valid: Your server should send the full certificate chain (leaf + intermediate). Missing intermediates cause trust errors on some devices.
6. No mixed content: Open DevTools console and look for mixed content warnings. Every resource (images, scripts, stylesheets, fonts) should load over HTTPS.
7. HSTS header set: Add Strict-Transport-Security: max-age=31536000; includeSubDomains to force HTTPS for all future visits. This prevents SSL stripping attacks.
8. Strong cipher suites: Disable weak ciphers (RC4, DES, 3DES). Modern configurations should prefer ECDHE key exchange and AES-GCM encryption.

HTTP Security Headers (10 Checks)

1. Content-Security-Policy: Define which sources can load scripts, styles, images, and other resources. Start with report-only mode: Content-Security-Policy-Report-Only: default-src 'self'.
2. X-Content-Type-Options: Set X-Content-Type-Options: nosniff to prevent browsers from MIME-sniffing responses away from the declared content type.
3. X-Frame-Options: Set X-Frame-Options: DENY (or SAMEORIGIN) to prevent your site from being embedded in iframes — the primary defense against clickjacking.
4. Referrer-Policy: Set Referrer-Policy: strict-origin-when-cross-origin to control how much URL information is shared when users navigate away from your site.
5. Permissions-Policy: Disable browser features you don't use: Permissions-Policy: camera=(), microphone=(), geolocation=(). This limits what malicious scripts can access.
6. X-XSS-Protection: Set X-XSS-Protection: 0. The legacy XSS filter is disabled in modern browsers and can actually introduce vulnerabilities. Turn it off explicitly.
7. No Server header leaking: Remove or obscure the Server response header. Advertising "Apache/2.4.51" or "nginx/1.21.6" tells attackers exactly which exploits to try.
8. No X-Powered-By header: Remove X-Powered-By. Frameworks like Express, PHP, and ASP.NET set this by default. It reveals your tech stack to attackers.
9. CORS configured correctly: If you use CORS, ensure Access-Control-Allow-Origin is not set to * for authenticated endpoints. Restrict it to trusted domains.
10. Cache-Control for sensitive pages: Set Cache-Control: no-store on pages containing user data to prevent them from being cached by shared proxies or browsers.

DNS and Email Security (8 Checks)

1. SPF record: Add a TXT record like v=spf1 include:_spf.google.com -all to specify which servers can send email from your domain.
2. DKIM signing: Configure DKIM to cryptographically sign outgoing emails. This proves emails actually came from your domain.
3. DMARC policy: Add a DMARC record: v=DMARC1; p=reject; rua=mailto:dmarc@yoursite.com. This tells receiving servers to reject spoofed emails.
4. DNSSEC enabled: Enable DNSSEC through your domain registrar. This prevents DNS spoofing and cache poisoning attacks.
5. CAA records: Add CAA DNS records to specify which Certificate Authorities can issue certificates for your domain. This prevents unauthorized certificate issuance.
6. No subdomain takeover risk: Audit all DNS CNAME records. If they point to decommissioned services (old Heroku apps, deleted S3 buckets), attackers can claim them.
7. MTA-STS configured: Set up MTA-STS to enforce TLS encryption for incoming email. Without it, email can be silently downgraded to plaintext.
8. security.txt file: Create /.well-known/security.txt with contact information for security researchers. This is an internet standard (RFC 9116).

Content Security (8 Checks)

1. No vulnerable JavaScript libraries: Check your JS dependencies against known vulnerability databases (Snyk, npm audit). Outdated jQuery, Lodash, or Bootstrap versions are common culprits.
2. No exposed admin panels: Test common admin paths (/admin, /wp-admin, /phpmyadmin). If they're accessible, restrict them by IP or add additional authentication.
3. No sensitive files exposed: Check for /.env, /.git/config, /wp-config.php, /backup.sql. These files should never be publicly accessible.
4. No open redirects: Test URL parameters like ?redirect=https://evil.com. If your site redirects to arbitrary URLs, attackers can use it for phishing.
5. No directory listing: Navigate to directories on your server. If you see a file listing instead of a 403/404, disable Options +Indexes in your web server config.
6. CSRF protection: Verify that state-changing forms include CSRF tokens. Modern frameworks handle this automatically, but custom forms may not.
7. Subresource Integrity: Add integrity attributes to <script> and <link> tags loading from CDNs. This ensures the files haven't been tampered with.
8. No information leakage in errors: Trigger errors on your site and check the response. Stack traces, database details, or file paths should never be exposed to users.

Cookie Security (3 Checks)

1. Secure flag: All cookies should have the Secure flag so they're only sent over HTTPS connections.
2. HttpOnly flag: Session cookies should have HttpOnly to prevent JavaScript from reading them — the primary defense against session theft via XSS.
3. SameSite attribute: Set SameSite=Lax (or Strict) on cookies to prevent them from being sent on cross-site requests, mitigating CSRF attacks.

Quick Wins vs. Deep Fixes

Not all items on this list are equal. Here's how to prioritize:

Fix immediately (5 minutes each):

• Enable HTTPS and redirect HTTP
• Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy headers
• Remove Server and X-Powered-By headers
• Set cookie security flags

Fix this week (30 minutes each):

• Configure SPF, DKIM, DMARC for email
• Set up HSTS with a long max-age
• Audit and update vulnerable JS libraries
• Add CSP in report-only mode

Fix this month (requires planning):

• Enable DNSSEC
• Audit all subdomains for takeover risk
• Implement SRI for all CDN resources
• Configure MTA-STS

Automate Your Security Audits

Running through 40 checks manually takes hours. SecScanner automates all of these checks in seconds — enter your URL and get a complete security report with specific fix instructions for every issue found. The free tier covers 24 checks; the paid tier covers all 58.

Security is not a one-time task. Run this checklist (or an automated scan) every time you deploy major changes, add new services, or update your infrastructure. The threats evolve — your defenses should too.